asyncrat

General

Target

bNqu.exe
Size

78KB
Sample

230607-shwglacf4v
MD5

d4b127a7d4e2609d86747eadf6fd00ba
SHA1

88754fa2fa044a1bcac7ad1ede8c8cfa533bbdab
SHA256

a4565de8728f2196a30e7337c45d94b0b7f8dfca1bd610f5bd0d597e483d1b37
SHA512

f7d36d3f931d75793f1ee55bd7be5a3edc8c5ebff198a5eac0d234eb2964c78b6a071c38a1042ea3b4aad50d8be77998d3922c075d4aed838e0b6d5d960f2488
SSDEEP

1536:Gh9z+dBLX+DpPS5wpOk3JCK6pFo4j/6fOpd/9nEh9TGaJMR:UWqQwpOk5CK6MO/9ESaJM

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Primas_2023

C2

administradorv.duckdns.org:2019

Mutex

Notepad.exe

Attributes

reg_key
Notepad.exe
splitter
1234

Extracted

Family

remcos

Botnet

rem04robot

C2

soatfebrero.duckdns.org:8091

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MVFL5W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

0.7.3

Botnet

18abril

C2

verde2021.duckdns.org:7782

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1234

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

02junPav

C2

enero2022async.duckdns.org:7784

Mutex

546rf%$RFWT4T5E3R

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  bNqu.exe
- Size
  
  78KB
- MD5
  
  d4b127a7d4e2609d86747eadf6fd00ba
- SHA1
  
  88754fa2fa044a1bcac7ad1ede8c8cfa533bbdab
- SHA256
  
  a4565de8728f2196a30e7337c45d94b0b7f8dfca1bd610f5bd0d597e483d1b37
- SHA512
  
  f7d36d3f931d75793f1ee55bd7be5a3edc8c5ebff198a5eac0d234eb2964c78b6a071c38a1042ea3b4aad50d8be77998d3922c075d4aed838e0b6d5d960f2488
- SSDEEP
  
  1536:Gh9z+dBLX+DpPS5wpOk3JCK6pFo4j/6fOpd/9nEh9TGaJMR:UWqQwpOk5CK6MO/9ESaJM
Score

10^/10

asyncrat neshta njrat remcos 02junpav 18abril rem04robot persistence rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2