asyncrat | 662373470e1e29fdc50870c0296a21446f2231455ae93dfb9f4339e21d8eaca5 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

7ec73c3cdb2ab4d8ead126d75d8e75e6.exe
Size

415KB
Sample

230825-jrjpqahh73
MD5

7ec73c3cdb2ab4d8ead126d75d8e75e6
SHA1

72932cec27122ff030c4e9300026be77c91da7f3
SHA256

662373470e1e29fdc50870c0296a21446f2231455ae93dfb9f4339e21d8eaca5
SHA512

46a6c5b05bf93d1746ddc9c58f5040832b1c81240580c49831b1c068952eaa2c8111484b7d72c1d51e7688b78a1416f27b8463fb46c3887886d1b2ade0f36f14
SSDEEP

12288:7DbFgXY5JxdtIeCP5BRQhgRHf0e9c/j0xMZ2t+4GspUx:3FdtIe+e+RHf0Hx

Score

10^/10

asyncrat default persistence rat spyware stealer themida

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

5.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
10
install
true
install_file
1.exe
install_folder
%Temp%

aes.plain

Targets

- Target
  
  7ec73c3cdb2ab4d8ead126d75d8e75e6.exe
- Size
  
  415KB
- MD5
  
  7ec73c3cdb2ab4d8ead126d75d8e75e6
- SHA1
  
  72932cec27122ff030c4e9300026be77c91da7f3
- SHA256
  
  662373470e1e29fdc50870c0296a21446f2231455ae93dfb9f4339e21d8eaca5
- SHA512
  
  46a6c5b05bf93d1746ddc9c58f5040832b1c81240580c49831b1c068952eaa2c8111484b7d72c1d51e7688b78a1416f27b8463fb46c3887886d1b2ade0f36f14
- SSDEEP
  
  12288:7DbFgXY5JxdtIeCP5BRQhgRHf0e9c/j0xMZ2t+4GspUx:3FdtIe+e+RHf0Hx
Score

10^/10

asyncrat default persistence rat spyware stealer themida
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultpersistenceratspywarestealerthemida