asyncrat

General

Target

Dogecoin-Miner2022.rar
Size

2.0MB
Sample

221013-nf3exabgdm
MD5

9317d885cc99802c9619078acea649b7
SHA1

b7cc56c4476dc0461704aa4218da6e5f3a9aae9b
SHA256

5ca12788e41f318c0ce21ad6a83020fe303f9219811451651335e51e8b891b63
SHA512

3c03cab75ce122e17ed9c3ff6a85c9e39246c84217bd7b5fa63c2eaab14ad02d4c57dbbaa0d1209d9d1e6cc1e3c53d3b7948e75d020ba803e30e12b29272f524
SSDEEP

49152:96Q0aGVKS7iCe+k5IDW8b27ipiHaixkf2knLf9Y82GIrU:UP7csRnAWsHfejnLFY82GIrU

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-01

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-U4BEN1Z

Attributes

gencode
8sAQdbHcGDto
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

C2

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

asyncrat

Version

0.5.6A

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

servtle284

Attributes

delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
- Size
  
  2.1MB
- MD5
  
  36620d7c222248584634f10481f3be35
- SHA1
  
  2f65c68e266d55fe334f2bb3fcd8f824b090cf5f
- SHA256
  
  ff2bc238f2ce0d5c0b08af957f4098b63f3c402edc3694370950805780647888
- SHA512
  
  8d03f58e08c3c6553551e0d7ad7ef8ddc591c0f174d3c99cfc757e466038a4d1829c3643605ec64fbc7f65385036030a704b9f0835ab8bd58f9f3d92ea75928c
- SSDEEP
  
  49152:MeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:J1UoRtpJg/lx7xY9phBF1ptC2ekM
Score

10^/10

asyncrat darkcomet warzonerat new-july-july4-0 new-july-july4-01 evasion infostealer persistence rat trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Async RAT payload
  rat
- Warzone RAT payload
  rat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2