asyncrat | 575e4be09039061ce25c80c7a2c922955e2b8a2b18aa62924985a81b024a63ad | Triage

Submit
Reports

Overview

overview

Static

static

FACTURE_.lnk

windows7-x64

3

FACTURE_.lnk

windows10-2004-x64

Sharing

General

Target

FACTURE_.zip
Size

578B
Sample

220719-r5ab7sega7
MD5

38fe63b765f5751372cc3ede1ed452be
SHA1

d508be1f87986fc0b104b22253908f67bf915944
SHA256

575e4be09039061ce25c80c7a2c922955e2b8a2b18aa62924985a81b024a63ad
SHA512

5a01250a8fd1695087e3098df42ef3c3a9c2a13b4cd980c4ee221e0b393b4b6c0095d2fe70a10e54a7a9613fc013623e5c9999d402290ff854f937e55dcc2d7a

Score

10^/10

asyncrat neshta default evasion persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

FACTURE_.lnk

Resource

win7-20220718-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

FACTURE_.lnk

Resource

win10v2004-20220414-en

asyncrat neshta default evasion persistence rat spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

secureyourdataarea1.duckdns.org:56390

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  FACTURE_.LNK
- Size
  
  1012B
- MD5
  
  60cddf458ccce0249bc3654f282f7b2e
- SHA1
  
  19a6ab379f925509d7cc36524c716877f4a268a0
- SHA256
  
  b0cf721309f7ea1684e2593a3e3c98f080146274432f39c9e2d2982ba1c9da95
- SHA512
  
  cd86c8e423ad3eaad92e67241896976c5e02ecea5d0c2dafef08e17eb6786fae0682d5bd0e59897b06faf06a3cef4a3883c03331c450574ae753bba6477bda91
Score

10^/10

asyncrat neshta default evasion persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Detect Neshta payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Async RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

asyncratneshtadefaultevasionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy