asyncrat | remcos[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

remcos.zip
Size

52KB
MD5

87c386fca6a77e9d7692962b37e20393
SHA1

d9667b4aee3c2e2181b94254874edaaa56fe599d
SHA256

2bd325fa05c5184178ff65feacb70183c180e3e119ba77dc52b5171a952fde61
SHA512

8eb234db75b72b777683dec24bb6d988217401b930a22b4f22b1ec93146680b4569eebd30096ac9e61d779d7110e4924f3c58a5f7a8cdbf6cc89a39fd91e65a7
SSDEEP

1536:E04Dv7GgXqIi/0S1SEnBb0x22ZTzRZA/PI:B+GcI/0ynyHnRZcI

Score

10^/10

rat newyourk asyncrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

NewYourk

141.95.84.40:3060

Mutex

XWXWXWXWXWXW

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

Async RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/work/asyncrat.bin	asyncrat

Asyncrat family
asyncrat

Files

remcos.zip
.zip

Password: infected
work/asyncrat.bin
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
work/asyncrat_decompiled.out
.ps1
work/disassembly_shellcode.txt
work/dynwrapx.dll
.dll regsvr32 windows x86

Password: infected

5c1de943a8b81217d14da612c0c5b40a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DisableThreadLibraryCalls
LoadLibraryA
GetProcAddress
GetModuleFileNameA
GetCommandLineA
FreeLibrary
GlobalAlloc
InterlockedIncrement
InterlockedDecrement
GlobalFree
LoadLibraryW
WideCharToMultiByte
MultiByteToWideChar
RtlMoveMemory

msvcrt

sprintf
strlen
_wcsicmp
wcslen

ole32

IsEqualGUID

oleaut32

SysAllocString
SysFreeString
SysAllocStringLen

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllInstall
DllRegisterServer
DllUnregisterServer

Sections

code
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

const
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 866B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 188B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 43KB - Virtual size: 42KB

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

5c1de943a8b81217d14da612c0c5b40a

Headers

File Characteristics

Imports

kernel32

msvcrt

ole32

oleaut32

Exports

Exports

Sections

code Size: 6KB - Virtual size: 5KB

data Size: 512B - Virtual size: 1KB

const Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 928B

.idata Size: 1024B - Virtual size: 866B

.edata Size: 512B - Virtual size: 188B

.reloc Size: 1024B - Virtual size: 672B

.text
Size: 43KB - Virtual size: 42KB

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 12B

code
Size: 6KB - Virtual size: 5KB

data
Size: 512B - Virtual size: 1KB

const
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 928B

.idata
Size: 1024B - Virtual size: 866B

.edata
Size: 512B - Virtual size: 188B

.reloc
Size: 1024B - Virtual size: 672B