asyncrat

General

Target

Alien C++ Cryper.exe
Size

614KB
Sample

230317-by4dpsfg8y
MD5

6d7be98d68c6b3d8ea8c55da493b568e
SHA1

71ec3454cef1f3e4a90fe2688e9bfd0e0f9c2cea
SHA256

6ecbc0d9795b7fa1869f113c5a05fca4d8ff17f2312ac8f973277989cf64a67b
SHA512

e2c5729d028f3821823cba3d4da7fe36eb71cc184fde8314a59eeddb52f1e51bcaf0f996b4b7398ae800a052cf715320ebc6bde29dcfa400a45b7c179a1f1282
SSDEEP

12288:+DzeNryR43tPVX38vhtUM4Th09oAt4CsyXwLLzl71M+zuBP1d3owmDYS:0ze0RM6ht8mq0rSLzl72qufd4wMY

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Wars

C2

95.173.247.110:8806

Mutex

Wars

Attributes

delay
3
install
true
install_file
Winder.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

Muck

C2

52.232.8.179:37764

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityDefenderProtokol

C2

88.248.18.120:33918

Mutex

SecurityDefenderProtokol

Attributes

delay
3
install
false
install_file
SecurityDefenderProtokol.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

C2

217.64.31.3:9742

Mutex

WindowsDefenderSmarttScreen

Attributes

delay
1
install
false
install_file
WindowsDefenderSmarttScreen.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Alien C++ Cryper.exe
- Size
  
  614KB
- MD5
  
  6d7be98d68c6b3d8ea8c55da493b568e
- SHA1
  
  71ec3454cef1f3e4a90fe2688e9bfd0e0f9c2cea
- SHA256
  
  6ecbc0d9795b7fa1869f113c5a05fca4d8ff17f2312ac8f973277989cf64a67b
- SHA512
  
  e2c5729d028f3821823cba3d4da7fe36eb71cc184fde8314a59eeddb52f1e51bcaf0f996b4b7398ae800a052cf715320ebc6bde29dcfa400a45b7c179a1f1282
- SSDEEP
  
  12288:+DzeNryR43tPVX38vhtUM4Th09oAt4CsyXwLLzl71M+zuBP1d3owmDYS:0ze0RM6ht8mq0rSLzl72qufd4wMY
Score

10^/10

upx asyncrat redline sectoprat defendersmartscren muck securitydefenderprotokol wars discovery infostealer persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Async RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2