asyncrat

General

Target

https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr
Sample

221017-smnybacdcl

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthSeurvice

C2

217.64.31.3:8437

Mutex

SecurityHealthSeurvice

Attributes

delay
3
install
false
install_file
SecurityHealthSeurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

dEFENDER

C2

20.19.164.86:22616

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Extracted

Family

oski

C2

zenginler.online/oski/

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

HacKed

C2

http://zenginler.online/blacknet

Mutex

BN[8e74b7adc9cdf87b]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Targets

- Target
  
  https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr
Score

10^/10

persistence asyncrat blacknet oski redline defender hacked securityhealthseurvice system guard runtime discovery evasion infostealer rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2