asyncrat

General

Target

GORILLA_Last.hta
Size

46KB
Sample

221028-nzdwnafdf4
MD5

750984a5dbe06c1092efbfdcaa2c0e45
SHA1

7a77048b108835f4ecc15cad2ae2fc3bce2d8b10
SHA256

dabdd1dc8f9dd5c796a50f9b09c2831073b318a0421a49af0caa153109e0488a
SHA512

fc6ee1773eaae435e8f6bc639f7c85dfc72bfd694a84a8d78862863a12317f81d9d19c46b87efa85f86f67bf4541fce07b191b2730ee6a7227762c8bd0803825
SSDEEP

768:otwjF6wFIk//xGWU/NaqjN+yUv4CZgS01ZNuIDyHmPHaPbgtlNJzLa2p9bn+ImY9:WwYwFDYWsjg/48euBtP83NQsSpr47pP/

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

2022

C2

clsuplementos.ddns.net:6606

clsuplementos.ddns.net:7707

clsuplementos.ddns.net:4404

clsuplementos.ddns.net:5505

clsuplementos.ddns.net:8808

clsuplementos.ddns.net:9909

handling.ddns.net:6606

handling.ddns.net:7707

handling.ddns.net:4404

handling.ddns.net:5505

handling.ddns.net:8808

handling.ddns.net:9909

corpoleve.duckdns.org:6606

corpoleve.duckdns.org:7707

corpoleve.duckdns.org:4404

corpoleve.duckdns.org:5505

corpoleve.duckdns.org:8808

corpoleve.duckdns.org:9909

corpoleve.3utilities.com:6606

corpoleve.3utilities.com:7707

Mutex

AsyncMutex_6SI8OkPnkd

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  GORILLA_Last.hta
- Size
  
  46KB
- MD5
  
  750984a5dbe06c1092efbfdcaa2c0e45
- SHA1
  
  7a77048b108835f4ecc15cad2ae2fc3bce2d8b10
- SHA256
  
  dabdd1dc8f9dd5c796a50f9b09c2831073b318a0421a49af0caa153109e0488a
- SHA512
  
  fc6ee1773eaae435e8f6bc639f7c85dfc72bfd694a84a8d78862863a12317f81d9d19c46b87efa85f86f67bf4541fce07b191b2730ee6a7227762c8bd0803825
- SSDEEP
  
  768:otwjF6wFIk//xGWU/NaqjN+yUv4CZgS01ZNuIDyHmPHaPbgtlNJzLa2p9bn+ImY9:WwYwFDYWsjg/48euBtP83NQsSpr47pP/
Score

10^/10

asyncrat 2022 rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2