asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

batch2.zip
Size

374.7MB
Sample

230616-w8xdcsfh7v
MD5

65820b5345cae498c44cf90c63dd3160
SHA1

857f6b35c2e69a4df8e52094ef1f9acaacee8c60
SHA256

7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce
SHA512

576df56b28250d69aeb9c95070a453928336c7beabe45b3bc108669810ffb2316a69bdf785b8472787328556d25ccd62d30e36d4945adb85e45a800369dce388
SSDEEP

6291456:Wfj+M5AE4HECh6/6p3vBaD0OFMZTuw8XPWD29On+lctEu6ieDAR43Wr/ggjghaFd:WfJAEIECpXfOFM+PWyNlZu6ieDASmr/B

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

doc

188.165.208.165:43504

Attributes

auth_value
34724300c8d2e12e91046accfdc2379d

Extracted

Language

ps1

Source

URLs

exe.dropper

https://bitbucket.org/damnman/damn/downloads/Zos.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://bitbucket.org/damnman/damn/downloads/simplecryptservice.docx

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/damnman/damn/downloads/PUMPED_docc.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.137.65.94:4449

Mutex

saiarsvkhzxxjyqd

Attributes

delay
1
install
true
install_file
Google Update.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

45.137.65.94:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

@hukioside

37.220.87.13:48790

Attributes

auth_value
7bb7435e1cb000627132c502060da133

Targets

- Target
  
  1.rar
- Size
  
  69B
- MD5
  
  67bc65619826de9a70b6bf52757ee6bc
- SHA1
  
  c9969e9aa039e2a50eeb10ae754b26bc0ef55ad1
- SHA256
  
  8d12f9138517957756f2b5745033708b2bd5d7129de8f0f1a01c1a9699d533fc
- SHA512
  
  ee6ec699db6dfe2b00dfa45cb71ec72971b1ed85c80c530975621dd4bd7f8f44f57b2073eb68235cf98ed48b1d22f925e6e1f16008e7f86d196dfa9ea7642567
Score

3^/10
behavioral1 behavioral2
- Target
  
  Ehhbsuuemv.exe
- Size
  
  68.4MB
- MD5
  
  368dc6c24db6c1550ce757c0ffbdd9a0
- SHA1
  
  89bf95d951ac065bdfd8a323b1ecb70355bbab20
- SHA256
  
  9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641
- SHA512
  
  78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211
- SSDEEP
  
  1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  GjIEmKW.exe
- Size
  
  646KB
- MD5
  
  f1721c98efdae451be8ef071044cdb85
- SHA1
  
  28afdff9b32d7da6918a4ecc3a30eafe3be1f8e6
- SHA256
  
  bce1a92464358055d118d7a107bf8d5361f4fc2dfaaa41a18d2a9bc11b640272
- SHA512
  
  5e560094bfdb5d9e0a0f545373c9943a57c1da12378153cd0943ac2b10da9fcd1e256a71777f5cab803f5c434db11cd6cdd463bdcd2fe36420d7db5f2c57ffaf
- SSDEEP
  
  12288:z4UBGj3cBfudMiILCLbexicLZHgVkbh11a9iZoyfetMYviLZ4uDFa:z49j3Z4Ld30v8R
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Jtvcsfni.exe
- Size
  
  300.9MB
- MD5
  
  fa2a122398f04f0a45ed7bed477aa4de
- SHA1
  
  dec80165e13f370fc832f6fe752084eb5ba944cb
- SHA256
  
  cde19a4b3504ff5f04a4291be87d98594673de5e3ba4d939b18305e7e1fd93a2
- SHA512
  
  332c34cde567511fc31422d75a77f183546998762f912844726e0b157d5c5bc29893e20b93e0ab5daa90908e39aab326743606ee090b38d73ba51b9d949e8905
- SSDEEP
  
  6291456:TzQXTpP65CUl6Xd+6a3BwpQTOQGZ+TmCI/0haPyrUVb0/29c1e1M51K:Y1jUl6sBwKgZXCI/0haqgVb0/l6
Score

10^/10

redline @hukioside infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  OriginalBuild.exe
- Size
  
  2.0MB
- MD5
  
  684b5a8761a8cd0314a1121de37a86a7
- SHA1
  
  bd46bea31f6ec26ad80bf9bdda6f2b59750a910a
- SHA256
  
  1fc6b522a006f923bd3e6d69377bdcbb6d6e733dc4f68f38608f727bf6b0732f
- SHA512
  
  d56b3b60d54ad8ac97b3baf3fc4cdf7ee0158dadd23239238d243d445906d30f8246f4053d53fc9b6f04c80d87c43f548e7cca4b424ec34b0474defa785fbb59
- SSDEEP
  
  24576:rLdSwtu5mVZJZYDN5ZKGGQz1JLzsrksuN8qYMLDd3eQ3o7glrAbAlA7AIASAWl9W:r6mVZJZYSVgvoklrAbAlA7AIASAzCq
Score

8^/10
- Blocklisted process makes network request
behavioral10 behavioral9
- Target
  
  PUMPED_docc.exe
- Size
  
  90.3MB
- MD5
  
  82bb565e772ed1286a2aae9c572650e9
- SHA1
  
  ca36bde4741afafb7fcf62a19673d13b80fb44c6
- SHA256
  
  25a410a81c32a80cd2c408fad31582e20a1e7fd01c28ef78576fd2cbb02761fc
- SHA512
  
  30861740c92d0022bbee72d638afbf44cd6276d2233e7ce51fc9fb5b7281a0cadb3b76f8b4ef8b3063c7a93960a1fab285aa8d01043ba4063366125ce6ec6e0b
- SSDEEP
  
  6144:7Bcs/4U/OaGR+X25Kmn9GFjzsLqBO6/b:tcsgXbKm4XGq86/b
Score

10^/10

redline doc infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  Servicing-invoice-template.pdf
- Size
  
  34KB
- MD5
  
  d422843d566db462f7f8f6bc3be9ca76
- SHA1
  
  1b1b89d8227af285a658ba64a15e1f0a56953e46
- SHA256
  
  3fff1be296432c5b2cf165c63110531e8e4aa3e31285d1800d0ab92ece7e5c3a
- SHA512
  
  a62ad4534bd8b274df69de3dfc64595137941097742173f0e8d02307f35b5344bcfaf3151a203d6f5a24f2a4300996e7713db729763516cade8893e62d63e9cc
- SSDEEP
  
  768:zzy3jjj/ZX6HmbabFA7FFFjgXUfUU9ivyoWYU9NlgxUh3:zzijjjRXIcaZAtIyo+lD
Score

1^/10
behavioral13 behavioral14
- Target
  
  cgu3.rar
- Size
  
  9KB
- MD5
  
  50d5f12c1c59bc98a813067d5122f38c
- SHA1
  
  e35ccfa2e9d8eceab039f7b2b45616ab036bd976
- SHA256
  
  acf777c094448d81c8a236bc20a649985d8dae3859684b4a36cb927b30ad5230
- SHA512
  
  713e2f9ce0df755a718d56aa7b1eea9914d3ba67518d9c1a4e9bb282ce9370cdaaee29f51620da07dbb3eeef8447b0b7cb72016d6a5be54f7741d876638a65be
- SSDEEP
  
  192:WQhXtM+d3XsnLhFC+q6n9du2t0r+DQdpPDW805oCnpKfkUsJJ3IE3I9ialTdcd:WgLNiu+B9du2OiQnPDl05pnp9UgKUIZw
Score

3^/10
behavioral15 behavioral16
- Target
  
  debt.rtf.rar
- Size
  
  957B
- MD5
  
  a776d916e80f88a16f578e8e3e787350
- SHA1
  
  dd9bd73eb6a93cd007c936a519ec90d445f58761
- SHA256
  
  4da5078a5bde869ade2cdb93d36a321d2a9996ac9ab940cac9f8516794e1705a
- SHA512
  
  24264cc04ede49113f359aea23a20fa3f2c4b0f69330639d6fbcfb58ddc447bf318cc2c6a42619d2d0fd5cf95ffe839071a7e8c2a007f3419ca3a16c5d8516e3
Score

3^/10
behavioral17 behavioral18
- Target
  
  eeee.dotm
- Size
  
  15KB
- MD5
  
  e98532e1f207b31dc7709a52b1c409b7
- SHA1
  
  b2715b7f3367c8a30d65fd06ae8a201e53d9123d
- SHA256
  
  3d355a08aefd906bd5c4f5db39535e172f06f646c18be73f7b6d4dc6ed54c5ab
- SHA512
  
  13ff9836180e75881340bc5eec2285c6dfd2c7cd2aa968be5ad7673e905c17862d3709571426793c8fc886beb7969c1cfc7585f3bf60a8590f5e90fbfca28e85
- SSDEEP
  
  384:tmtl4DqphrASTC78Jex7KBM6akwLWdxdyJYB3ywJ:ql4DqphM98JkYakw6Ly+QwJ
Score

1^/10
behavioral19 behavioral20
- Target
  
  egor.dotm
- Size
  
  14KB
- MD5
  
  adccb9016b434427cd125ae841d1baaf
- SHA1
  
  56aa1a0e7b1ba0d2714be1e36d4a59ca4ca8a05d
- SHA256
  
  d6cdc6b64b477100f73ffa15b1fe7597e3a6c81431b527bc766f7bab27701e8b
- SHA512
  
  9b4fbb5f16570c7a5165a53ffab8680db2122e3040ed411358f2a4fee2d8a24d525ab430651b0c1d1f93f8b7471b8ba9f7b58a96b167e5245a082a0d51c35c62
- SSDEEP
  
  384:tmtl44XewvWv7lC78WQ6Su6akwLWdxdFYB3w:ql44XHvWTu8mSzakw6LqG
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Legitimate hosting services abused for malware hosting/C2
behavioral21 behavioral22
- Target
  
  errr.dotm
- Size
  
  14KB
- MD5
  
  15320db9003264c8ce3a7356030746a8
- SHA1
  
  db6c48cb0b2ea475602ee20bd10d6be192da4a37
- SHA256
  
  ed057ee336974e52d68f2eb5278c7d61fdbfff8f388e287d4c8c09bd2eed0a2f
- SHA512
  
  608015f8c7ede90b8859fe2c2838322db98e78ff1e369d1a3019cbfb8d279ca515e2494e0d6946d17cdbed1582faeac2ce2bd53eadbe45751dba542794b0a758
- SSDEEP
  
  384:tmtl4pb+aVHXwnSC78Qot2J6akwLWdxd36UbYB3ho:ql4pq6El8Qojakw6L0M
Score

1^/10
behavioral23 behavioral24
- Target
  
  example.dotm
- Size
  
  16KB
- MD5
  
  1aae26fe5d7b7dc4d6794a7828aecedc
- SHA1
  
  fbb8c6f45f53dc80e276a72cf9f567054b65c206
- SHA256
  
  1d473e82efa66368ffb4ce8f5eb947296c8e8d3febbe3a6283857da6fb1cc7d5
- SHA512
  
  2036693971d4710c9d59c569a8a8fef98ee33422b324c343c07aac9fb67500f82e54c6904054f65a7294dbbc745773fdbf6a6051aa7a71ac8b04b9c3dcf5c6e0
- SSDEEP
  
  384:tBt67TB+TZ2T/aNxt/ZtNNei/eX+30Oncsqf:R6PaGIxllNeAeX+3BcBf
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Legitimate hosting services abused for malware hosting/C2
behavioral25 behavioral26
- Target
  
  fasfs.dotm
- Size
  
  16KB
- MD5
  
  56265082f8036943f8aa659cda6b4b6f
- SHA1
  
  4b4c75a574e7bc18117cecfe8cad64205097ec43
- SHA256
  
  4adf62e4e36861567206126d6ef1a1d59bf169f9c72cde72dad9a3bfe0c09faf
- SHA512
  
  33792ecfeaf686435db9d6537b8e99d74b08198c198e3357b0b6ba324f7c5eb410060a34e64b2a09aa3b20f9a7b459ae6b13670abb4e03550ffb79fb0e155c2d
- SSDEEP
  
  384:tmtLW4BPok2xSxCyX+ZKC78qN9j6akwLWdxdA97YB3H/:qa4Bn2xzyX+383akw6L2M9
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral27 behavioral28
- Target
  
  ferrr.dotm
- Size
  
  15KB
- MD5
  
  2fcd4aa1392a81644323e0dfc715146f
- SHA1
  
  bb48a7af90cdb8c46e78bb20fb7e733c626d4f2f
- SHA256
  
  58ab07d938bb5a6a5c2fb772f4b511b805b6e9c165ed01280c4ee9a1c817f9dc
- SHA512
  
  91bccc3fba9abbab4b052c394274de3d701d5c6a06b36c2df688f3f36c0296835d028e966eb331ebdea863c34be63f03cfb604b1583640e6edee0de3a81bc639
- SSDEEP
  
  384:tmtl4Ttwa5+VjgUbuC78Qo0mR6akwLWdxdf8YB3U:ql4Ttwp2UbZ8QZm0akw6Lxi
Score

1^/10
behavioral29 behavioral30
- Target
  
  fffffffnew.dotm
- Size
  
  16KB
- MD5
  
  56265082f8036943f8aa659cda6b4b6f
- SHA1
  
  4b4c75a574e7bc18117cecfe8cad64205097ec43
- SHA256
  
  4adf62e4e36861567206126d6ef1a1d59bf169f9c72cde72dad9a3bfe0c09faf
- SHA512
  
  33792ecfeaf686435db9d6537b8e99d74b08198c198e3357b0b6ba324f7c5eb410060a34e64b2a09aa3b20f9a7b459ae6b13670abb4e03550ffb79fb0e155c2d
- SSDEEP
  
  384:tmtLW4BPok2xSxCyX+ZKC78qN9j6akwLWdxdA97YB3H/:qa4Bn2xzyX+383akw6L2M9
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Async RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

AsyncRat

Async RAT payload

Suspicious use of SetThreadContext

RedLine

Checks computer location settings

Suspicious use of SetThreadContext

Blocklisted process makes network request

RedLine

RedLine payload

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Process spawned unexpected child process

Legitimate hosting services abused for malware hosting/C2

Process spawned unexpected child process

Legitimate hosting services abused for malware hosting/C2

Process spawned unexpected child process

Process spawned unexpected child process

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32