asyncrat | b7f237af7f3c1bd7901f85cc53fdf576b06b7002726ef37c52c8c97befe283dd | Triage

Submit
Reports

Overview

overview

Static

static

PPDF-110820.exe

windows7_x64

PPDF-110820.exe

windows10-2004_x64

Sharing

General

Target

b7f237af7f3c1bd7901f85cc53fdf576b06b7002726ef37c52c8c97befe283dd
Size

520KB
Sample

220521-cpzvlahchj
MD5

c03eb96768d6abf032c076fcb4d3a63a
SHA1

def4cbb521b879552c23366a850c05306ea3e979
SHA256

b7f237af7f3c1bd7901f85cc53fdf576b06b7002726ef37c52c8c97befe283dd
SHA512

b0e7f80d588854271da40dd22d246379af8cd04c6d458bd1d3447db818e2374d63a0efcb947ff1c86a583544066f83a01cc14a2af2dcba4a43344227abdac270

Score

10^/10

asyncrat newjob1 evasion rat

Static task

static1

Behavioral task

behavioral1

Sample

PPDF-110820.exe

Resource

win7-20220414-en

asyncrat newjob1 evasion rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PPDF-110820.exe

Resource

win10v2004-20220414-en

asyncrat newjob1 evasion rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

newjob1

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/eeJq8Ku6

aes.plain

Targets

- Target
  
  PPDF-110820.exe
- Size
  
  459KB
- MD5
  
  e762f388b8bc44a3fa8c080bdb690805
- SHA1
  
  651b43634bc5233b486e67ce13095fbdd8ccbe12
- SHA256
  
  5a5563d6a39f3753b0f18c7abcdb4a9a4fefa7ddef33e3758a51797ad72ed804
- SHA512
  
  15ddcba0202109a8d0854df1957ca17da5c5ed9725253b1b3e1b7f5427b28542c5169e0ee84f4f65e41f5511dce483b82dda6e870f4a11dce98915201728d5ea
Score

10^/10

asyncrat newjob1 evasion rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

asyncratnewjob1evasionrat

behavioral2

asyncratnewjob1evasionrat

© 2018-2024

Terms | Privacy