asyncrat | 3ff4956f284c2d0b5a1c8b32e1b73977f05508a814aae92e5aa7919aaf0b3e10 | Triage

Submit
Reports

Overview

overview

Static

static

decrypted.exe

windows7-x64

decrypted.exe

windows10-2004-x64

Sharing

General

Target

decrypted.zip
Size

15KB
Sample

230202-w7zgbsfc5s
MD5

0a6616ab6ee90e7be6c212b63242cd64
SHA1

08b04ebd56a22823bc54111b5567dd40d1825e05
SHA256

3ff4956f284c2d0b5a1c8b32e1b73977f05508a814aae92e5aa7919aaf0b3e10
SHA512

8963342463806b4545779cb3616fd616d07d18123f64759f4bb76cc2f8064dc8463fbc88330b354f329c396858d87222ee8ee41abd98310d5df66f43ed146fbc
SSDEEP

384:IaLZLBGtvBdaVRV3VQBdc0/Vv/wa65/Pg52LoTY/WTo+1ysU9OiC:IaLutZAgz7/wv5Hg520To+1yNOZ

Score

10^/10

asyncrat njrat default evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

decrypted.exe

Resource

win7-20220812-en

asyncrat njrat default evasion persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

decrypted.exe

Resource

win10v2004-20221111-en

asyncrat njrat default evasion persistence rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

virtual-rome.at.ply.gg:1111

virtual-rome.at.ply.gg:62832

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows Critical Update.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  decrypted.exe
- Size
  
  36KB
- MD5
  
  804457c473500f8fe0d57b0864c4c87f
- SHA1
  
  633c8ff70bc17c12e2727c3e1278349a8b67fe50
- SHA256
  
  601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
- SHA512
  
  f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
- SSDEEP
  
  768:C9S2Mfp8Y8JuL8O2qD86BhEOaDUeKR0F6Ehq5lxOBcmZPtqojC:C9S2MfgQQahEOaDUzRb5lxOWmyl
Score

10^/10

asyncrat njrat default evasion persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

asyncratnjratdefaultevasionpersistencerattrojan

behavioral2

asyncratnjratdefaultevasionpersistencerattrojan

© 2018-2024

Terms | Privacy