asyncrat

General

Target

bef2253333e2663aa740460ede3ee25e.exe
Size

29.0MB
Sample

230117-3et5gaaa66
MD5

bef2253333e2663aa740460ede3ee25e
SHA1

774d4ebdb884b4e32ffe7e36fa691aaaf5505f3c
SHA256

d058305ddf083f58cb70b13eb26b49c029b8f2eb329c98c1574b2489f6a44809
SHA512

160cb1e4b383be3f0809bc79a2d12176f146510070b4ca5c23db0344c571115c0fd2146cfdb72ceea92abe840c02070cd8f08581211acb6b0eb39ea92222d6cb
SSDEEP

786432:QuPxiY4bJfwP+v53za5RuHKhPzMYd36qfd3a:DpiTbJYPIlnqBMyBa

Score

10^/10

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

C2

185.215.113.69:15544

45.15.157.131:36457

62.204.41.141:24758

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

aurora

C2

37.220.87.13:8081

Extracted

Family

redline

Botnet

@Miroskati

C2

rllalasyeo.xyz:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Targets

- Target
  
  bef2253333e2663aa740460ede3ee25e.exe
- Size
  
  29.0MB
- MD5
  
  bef2253333e2663aa740460ede3ee25e
- SHA1
  
  774d4ebdb884b4e32ffe7e36fa691aaaf5505f3c
- SHA256
  
  d058305ddf083f58cb70b13eb26b49c029b8f2eb329c98c1574b2489f6a44809
- SHA512
  
  160cb1e4b383be3f0809bc79a2d12176f146510070b4ca5c23db0344c571115c0fd2146cfdb72ceea92abe840c02070cd8f08581211acb6b0eb39ea92222d6cb
- SSDEEP
  
  786432:QuPxiY4bJfwP+v53za5RuHKhPzMYd36qfd3a:DpiTbJYPIlnqBMyBa
Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat spyware stealer upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Enumerates VirtualBox registry keys
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2