asyncrat | a25384a50bece6cefbc853d787d65ab8688bca6d30da116fe16e6b1a3f6095eb | Triage

Submit
Reports

Overview

overview

Static

static

PO_45_13.scr

windows7_x64

PO_45_13.scr

windows10-2004_x64

Sharing

General

Target

a25384a50bece6cefbc853d787d65ab8688bca6d30da116fe16e6b1a3f6095eb
Size

1.2MB
Sample

220521-phd1rsfcg4
MD5

8912bc744f7dcea9e2defff02a15ca24
SHA1

a26dae9e5b5e71ccb5321e28b07ae63bc2ee62ab
SHA256

a25384a50bece6cefbc853d787d65ab8688bca6d30da116fe16e6b1a3f6095eb
SHA512

eb510bf65b60c3326834cb370e9a2a1de5e7847069a0f8043af63ffa62230d3d08870969c3a7512cc834a0cf9e93ffc8db5cd6606551cb0e3f47df49c63a723b

Score

10^/10

asyncrat default agilenet persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

PO_45_13.scr

Resource

win7-20220414-en

asyncrat default agilenet persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO_45_13.scr

Resource

win10v2004-20220414-en

asyncrat default persistence rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

206.123.129.103:5456

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
windows.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  PO_45_13.SCR
- Size
  
  479KB
- MD5
  
  50c3085963b5fdc5a9c00d10d1b4f960
- SHA1
  
  6529e11136560ad369d1b443a6e60f4e1f85c71e
- SHA256
  
  2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276
- SHA512
  
  36318d8dd2f4cd844fd8e1c47356d98c2af9df85646009b8d1cce97de834740f703a1770ed8770261c42cfe52eda5f52a43a7379f577754c1ea2ec723afbe837
Score

10^/10

asyncrat default agilenet persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

asyncratdefaultagilenetpersistencerat

behavioral2

asyncratdefaultpersistencerat

© 2018-2024

Terms | Privacy