asyncrat

General

Target

dawdwadaw.scr
Size

681KB
Sample

220823-r3etxafdgn
MD5

0cfa5f7c008e3dc2df275a99aef9cbbb
SHA1

51ebdbc8a8227667b20b5cb40f17ff1bb8550098
SHA256

e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
SHA512

bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e
SSDEEP

12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindowsSystem GuardRuntime

C2

217.64.31.3:8437

Mutex

WindowsSystem GuardRuntime

Attributes

delay
3
install
false
install_file
WindowsSystem Guard Runtime.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

XSFcRG

C2

http://fakirlerclub.xyz/blacknet

Mutex

BN[ac95ac7ad595b3dbd5ad73e4bf7daac9]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealth Service

C2

217.64.31.3:8437

Mutex

SecurityHealth Service

Attributes

delay
3
install
false
install_file
SecurityHealth Service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Windows DefenderSmartScreen

C2

217.64.31.3:9742

Mutex

Windows DefenderSmartScreen

Attributes

delay
1
install
false
install_file
Windows DefenderSmartScreen
install_folder
%AppData%

aes.plain

Targets

- Target
  
  dawdwadaw.scr
- Size
  
  681KB
- MD5
  
  0cfa5f7c008e3dc2df275a99aef9cbbb
- SHA1
  
  51ebdbc8a8227667b20b5cb40f17ff1bb8550098
- SHA256
  
  e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
- SHA512
  
  bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e
- SSDEEP
  
  12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn
Score

10^/10

asyncrat blacknet securityhealth service windows defendersmartscreen windowssystem guardruntime xsfcrg discovery persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies WinLogon for persistence
  persistence
- Async RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1