asyncrat

General

Target

3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exe
Size

7.8MB
Sample

220824-xyamaahhhk
MD5

49849ea730c690df970bb542dbd18e95
SHA1

24063f28fa7dee0e0c54236bac0ab6d9a5b1e31f
SHA256

3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
SHA512

58a27fa9600b41e25c7393b5c043c0a2f0ba19dff5db1e048e06f898a883ec8fc6e362e7847be8373b62d077577bd7285e791232c4336dcfb9fafc35cd179e69
SSDEEP

196608:JWLqEnZMIImZP/6N+ylO9MOchY35XhF35oTGxUh:J4qIZRImpCoyI35XhFpE0Uh

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes

profile_id
915

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Attributes

auth_value
54df5250af9cbc5099c3e1e6f9e897c0

Extracted

Family

redline

Botnet

media19n

C2

65.108.69.168:13293

Attributes

auth_value
d6d1029ee103315c8e2d6f15b37e84fc

Extracted

Family

asyncrat

Version

ArrowRAT 1.0.2.0

Botnet

ArrowRAT Clients

C2

127.0.0.1:4444

188.212.124.129:4444

pingo3000.hopto.org:4444

Mutex

ArrowRAT_Mutex_ArrowRAT

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exe
- Size
  
  7.8MB
- MD5
  
  49849ea730c690df970bb542dbd18e95
- SHA1
  
  24063f28fa7dee0e0c54236bac0ab6d9a5b1e31f
- SHA256
  
  3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
- SHA512
  
  58a27fa9600b41e25c7393b5c043c0a2f0ba19dff5db1e048e06f898a883ec8fc6e362e7847be8373b62d077577bd7285e791232c4336dcfb9fafc35cd179e69
- SSDEEP
  
  196608:JWLqEnZMIImZP/6N+ylO9MOchY35XhF35oTGxUh:J4qIZRImpCoyI35XhFpE0Uh
Score

10^/10

onlylogger redline socelars vidar 915 v3user1 aspackv2 infostealer loader spyware stealer asyncrat arrowrat clients media19n rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Async RAT payload
  rat
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- OnlyLogger payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2