asyncrat | 7ba8bdf289bdd5250fa389e294162b97701554b42dbd8757b96c7780f8286cdb | Triage

Submit
Reports

Overview

overview

Static

static

AsyncClientnownow.exe

windows7-x64

AsyncClientnownow.exe

windows10-2004-x64

Sharing

General

Target

AsyncClientnownow.exe
Size

45KB
Sample

230129-b34j9shd74
MD5

e9d6d1ed7007d55c6a9ec576ff1f0172
SHA1

7289b1f566e382cb9a797111a178db1c726372c3
SHA256

7ba8bdf289bdd5250fa389e294162b97701554b42dbd8757b96c7780f8286cdb
SHA512

86feb2e1d310fc0594bda26079568d772b77d3b381968b8f4d8d9a8415b452e23d3d33ca370b75621058caf0e36b806a9f252cc8be3864fa9945f93f02b980ce
SSDEEP

768:ZrfRmg7oB6ZXW7fzTyyk7MeVNZwcxwduOfzjbIOgX3ieukFDYT4DBzZbx:ZrfRmi3y7eOhvf3bWXSeZDYotbx

Score

10^/10

asyncrat modiloader remcos default jan2023 persistence rat trojan

Static task

static1

rat default asyncrat

2 signatures

Behavioral task

behavioral1

Sample

AsyncClientnownow.exe

Resource

win7-20221111-en

asyncrat modiloader default rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

AsyncClientnownow.exe

Resource

win10v2004-20220812-en

asyncrat modiloader remcos default jan2023 persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.12.234.207:6606

154.12.234.207:7707

154.12.234.207:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

Jan2023

C2

retsuportm.ddnsfree.com:2404

spreadrem1.ddnsfree.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
jkjhuy
mouse_option
false
mutex
winwin-BXOY7N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  AsyncClientnownow.exe
- Size
  
  45KB
- MD5
  
  e9d6d1ed7007d55c6a9ec576ff1f0172
- SHA1
  
  7289b1f566e382cb9a797111a178db1c726372c3
- SHA256
  
  7ba8bdf289bdd5250fa389e294162b97701554b42dbd8757b96c7780f8286cdb
- SHA512
  
  86feb2e1d310fc0594bda26079568d772b77d3b381968b8f4d8d9a8415b452e23d3d33ca370b75621058caf0e36b806a9f252cc8be3864fa9945f93f02b980ce
- SSDEEP
  
  768:ZrfRmg7oB6ZXW7fzTyyk7MeVNZwcxwduOfzjbIOgX3ieukFDYT4DBzZbx:ZrfRmi3y7eOhvf3bWXSeZDYotbx
Score

10^/10

asyncrat modiloader default rat trojan remcos jan2023 persistence
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Async RAT payload
  rat
- ModiLoader Second Stage
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

ratdefaultasyncrat

behavioral1

asyncratmodiloaderdefaultrattrojan

behavioral2

asyncratmodiloaderremcosdefaultjan2023persistencerattrojan

© 2018-2024

Terms | Privacy