asyncrat | 58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16 | Triage

Submit
Reports

Overview

overview

Static

static

9

swift message.exe

windows7_x64

swift message.exe

windows10-2004_x64

Sharing

General

Target

58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16
Size

169KB
Sample

220521-dfzc5safhr
MD5

433efe7d94d05c6b154e192924717de0
SHA1

d01cb136a270f5309a9e339acdcebcb26ceea74b
SHA256

58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16
SHA512

ad2f7dff82ca8981d3dccd8c29531774a57ed3803833a54191d083da4fcead793c7ec71df46e6d2ca0373a230dfb96ee45a4269994ac81084f471080bf988d7c

Score

10^/10

asyncrat forwork coreentity evasion rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

swift message.exe

Resource

win7-20220414-en

asyncrat forwork coreentity evasion rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

swift message.exe

Resource

win10v2004-20220414-en

asyncrat forwork evasion rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Forwork

C2

sack517.ddns.net:6565

sack517.duckdns.org:6565

Mutex

AsyncMutex_dgh6775Pxz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  swift message.exe
- Size
  
  324KB
- MD5
  
  93859a46557699b2689840de0df68318
- SHA1
  
  2f8c20dfc3fa635c5a4c88b4edee85c18b08a94d
- SHA256
  
  d2795ed096e7331d84947a9ba6a1c3fae5203b50f5a3563bda0382ab84e1c8bb
- SHA512
  
  bf1b3bcc1564e1c22095926f8eb9848ad740685d4744af56e1fe0487f52a20ff64a9732ff1933cafddf86959db56f34034b6e1d0bc85088b3a259be64ed79ec5
Score

10^/10

asyncrat forwork coreentity evasion rat rezer0
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Async RAT payload
  rat
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

asyncratforworkcoreentityevasionratrezer0

behavioral2

asyncratforworkevasionrat

© 2018-2024

Terms | Privacy