Description
AsyncRAT is designed to remotely monitor and control other computers.
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
General
Target
Size
Sample
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
6MB
220517-qbgzhscbf5
Score
10 /10
MD5
SHA1
SHA256
SHA512
5f9e61796a21e65f9a03f92ee6a8f6d8
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Malware Config
Extracted
| Language | ps1 |
| Deobfuscated |
|
| URLs |
ps1.dropper
http://supportnimbuzz.hexat.com/3/Att.jpg |
Extracted
| Language | ps1 |
| Deobfuscated |
|
| URLs |
ps1.dropper
https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg |
Extracted
| Language | ps1 |
| Deobfuscated |
|
| URLs |
ps1.dropper
https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg |
Extracted
| Family | njrat |
| Version | 0.7NC |
| Botnet | NYAN CAT |
| C2 |
ameen.myftp.biz:7788 |
| Attributes |
reg_key 76420c32f4f
splitter @!#&^%$ |
Extracted
| Family | njrat |
| Version | 0.7.3 |
| Botnet | Lime |
| C2 |
worm.access.ly:7778 |
| Attributes |
reg_key Adobe.exe
splitter 12345 |
Extracted
| Family | asyncrat |
| Version | 0.5.7B |
| Botnet | Default |
| C2 |
newworld.mypsx.net:8877 |
| Attributes |
delay 3
install false
install_file rdpclip.exe
install_folder %AppData% |
| aes.plain |
|
Targets
Target
MD5
Filesize
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
5f9e61796a21e65f9a03f92ee6a8f6d8
6MB
Score
10/10
SHA1
SHA256
SHA512
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Tags
Signatures
-
AsyncRat
-
njRAT/Bladabindi
Description
Widely used RAT written in .NET.
Tags
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
Description
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
Tags
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Description
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Tags
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Description
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Tags
-
Async RAT payload
Tags
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks