asyncrat | 442a2a8f6b9284cdec1fb7ff52faed051cba8337295e550389bbdd7bbc6c8c41 | Triage

Submit
Reports

Overview

overview

Static

static

usps54732563.vbs

windows7-x64

usps54732563.vbs

windows10-1703-x64

Sharing

General

Target

usps54732563.vbs
Size

523B
Sample

220729-wx6snabhd8
MD5

f83e436ca7acf3f80ca706e118288f2b
SHA1

2c760d46c138593186e359bef37a322dd3b73ece
SHA256

442a2a8f6b9284cdec1fb7ff52faed051cba8337295e550389bbdd7bbc6c8c41
SHA512

24a1ee24b6fb9387b70fa39ff22204a92dc25c1fbcd51f08fe50c776557ae5bd118bda68cc63e67a236aa3d98cb3add98d3189c4199bd227037e4ea8fdeb7f5a

Score

10^/10

asyncrat 29/7 persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

usps54732563.vbs

Resource

win7-20220718-en

windows7-x64

7 signatures

300 seconds

Behavioral task

behavioral2

Sample

usps54732563.vbs

Resource

win10-20220414-en

asyncrat 29/7 persistence rat

windows10-1703-x64

21 signatures

300 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://clever-ishizaka.45-86-146-20.plesk.page/enc.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

29/7

C2

vvat22.con-ip.com:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  usps54732563.vbs
- Size
  
  523B
- MD5
  
  f83e436ca7acf3f80ca706e118288f2b
- SHA1
  
  2c760d46c138593186e359bef37a322dd3b73ece
- SHA256
  
  442a2a8f6b9284cdec1fb7ff52faed051cba8337295e550389bbdd7bbc6c8c41
- SHA512
  
  24a1ee24b6fb9387b70fa39ff22204a92dc25c1fbcd51f08fe50c776557ae5bd118bda68cc63e67a236aa3d98cb3add98d3189c4199bd227037e4ea8fdeb7f5a
Score

10^/10

asyncrat 29/7 persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Async RAT payload
  rat
- Blocklisted process makes network request
- Modifies Installed Components in the registry
  persistence
- Registers COM server for autorun
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

asyncrat29/7persistencerat

© 2018-2024

Terms | Privacy