asyncrat | e99d298b9699a377758ff12e42670465444329a49b47d51a533365a8f12b91f1 | Triage

Submit
Reports

Overview

overview

Static

static

order-82148214124.vbs

windows7-x64

order-82148214124.vbs

windows10-1703-x64

Sharing

General

Target

order-82148214124.VBS
Size

377B
Sample

220719-tvng7agbdn
MD5

0f2b047310e67d7cd019fcecab748e60
SHA1

a645f62df84cfb673cabedcde468886fc8f4e04a
SHA256

e99d298b9699a377758ff12e42670465444329a49b47d51a533365a8f12b91f1
SHA512

f54c7ae16c19ec7785972daef9e5607ba0c140677315a07bc21666e2da5b1562ff1d93ca62275ca44a5745d2e763cf819950ee965d033b1e1e2517ae32270b81

Score

10^/10

asyncrat now persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

order-82148214124.vbs

Resource

win7-20220715-en

windows7-x64

3 signatures

600 seconds

Behavioral task

behavioral2

Sample

order-82148214124.vbs

Resource

win10-20220715-en

asyncrat now persistence rat

windows10-1703-x64

12 signatures

600 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://royaltpita.com/wp-admin/maint/enc.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Now

C2

moaaaza.com:9090

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  order-82148214124.VBS
- Size
  
  377B
- MD5
  
  0f2b047310e67d7cd019fcecab748e60
- SHA1
  
  a645f62df84cfb673cabedcde468886fc8f4e04a
- SHA256
  
  e99d298b9699a377758ff12e42670465444329a49b47d51a533365a8f12b91f1
- SHA512
  
  f54c7ae16c19ec7785972daef9e5607ba0c140677315a07bc21666e2da5b1562ff1d93ca62275ca44a5745d2e763cf819950ee965d033b1e1e2517ae32270b81
Score

10^/10

asyncrat now persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Async RAT payload
  rat
- Blocklisted process makes network request
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

asyncratnowpersistencerat

© 2018-2024

Terms | Privacy