asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

New Compressed (zipped) Folder.zip
Size

7.0MB
Sample

231011-nl2qkaca4x
MD5

3fd66dc82138d1427d43e70b36b4cd3a
SHA1

39fe86fbba36a06220c96f72f7aed0f2e0bd168d
SHA256

7549d4a121e1e7b5dc056cebe025d1af3d8c03440cad9bb23697c3f9bc6d07a9
SHA512

d036d2423eb28ea48f0a9d410c357b79f99371b8730dd19a38c8277b76b4f442762044e15efa361d4185d0648478b34b4f4957ba72aba6df71a334d033bc2253
SSDEEP

196608:wB83eQOA1B47Y0Az9MORof8EYFtDh+u1GBSDqRuJrHlU3s8YuW:MrQfqLABBBF7N17qRyHlEs8YuW

Score

10^/10

Malware Config

Extracted

Family

wshrat

http://akinbo.ddns.net:6380

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

MAC

74.208.105.80:7777

74.208.105.80:2005

mtest.loseyourip.com:7777

mtest.loseyourip.com:2005

Mutex

AsyncMutex_3losh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  38e2e621598702cd37731440444d631ab9d799c6876765dbd418403033b94bf0.exe
- Size
  
  14KB
- MD5
  
  eb096dfb6d3b24215a3ff1cf1a0a6ff4
- SHA1
  
  22cbf7d400f69105b0191d3cd7b62a7e64a776c0
- SHA256
  
  38e2e621598702cd37731440444d631ab9d799c6876765dbd418403033b94bf0
- SHA512
  
  4672ca88212c9f4fe31d36b9f73d0df2524c4f1860cc845aff4dc4a3ba7d1dc7248de1469768a00bb4a5770c96797e1790f209b6327043b26534adff36be6351
- SSDEEP
  
  384:4x2SOwrxxKXF6nBhM2IuDBbiTYfdCfLjBF3hJQ4bxu4:DSOwrxxKXF6nBh7VbiUUTdNhJQyx7
Score

1^/10
behavioral1 behavioral2
- Target
  
  404967d9e5bf0c8c4158e88c8df50c913c334e62d54c9de0f1dbd1bf5da57497.ps1
- Size
  
  437KB
- MD5
  
  4d238bb8bfad4e8ccc3343ea91da991e
- SHA1
  
  a502910cb686be7a6fc9ce76a40078fb5d36f6da
- SHA256
  
  404967d9e5bf0c8c4158e88c8df50c913c334e62d54c9de0f1dbd1bf5da57497
- SHA512
  
  3f53c43e85bd189547a439734d147cb73f4400dc895562e1aa7c33f90e454f3f4e458be7e9bad2e1c8526aa0702975940747f2ced8709a298cb4544d0eb9dae3
- SSDEEP
  
  3072:o1AJasaQ315U3Apg4ypzUeE6Ue+VM8fpBTUv1vZuWQI2:o1AJH315U3Apg0VNRBRWQI2
Score

10^/10

asyncrat mac rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0.exe
- Size
  
  4.2MB
- MD5
  
  7dd0c45e64f1141f9e0b8e2add05c5b1
- SHA1
  
  cfe8a0aaa16426f81875242843ecef3b433f884b
- SHA256
  
  4c09176981ccb4d6f7c48c6c88d4aad6ec13d5ad9b8afe41cdb40c749933f6b0
- SHA512
  
  46eece0284a36505cf3623ad979c7b150b4b809c4bb8a25e22c031c7299677c36d02acc5a4e86e5a79d16f3d6974f38af7fd06c1c9f6b59af000e28df50f2ac8
- SSDEEP
  
  49152:SofmQA9pf5V3qLYeTxXiuJhLm4f0bvG+GkMEExfpSCLHytP5PImrennvhpfawK/1:Sofd0pf+LYAxXiuXLm4fkGKWSC+vPIXI
Score

3^/10
behavioral5 behavioral6
- Target
  
  56776169335b8d2db22dba1ae47629f3e3e73a9a1d4f2c9cc6c7bcdd99b5fff8.exe
- Size
  
  881KB
- MD5
  
  538339734064ab915d20e9d7ab7e4e88
- SHA1
  
  c3fbe017ac4aa17d574f055db689cabd1b8cfb2d
- SHA256
  
  56776169335b8d2db22dba1ae47629f3e3e73a9a1d4f2c9cc6c7bcdd99b5fff8
- SHA512
  
  bbeb87174b9b9b4179ba1752417240883c999659f275fb8bdcf705b3c981928e39e51abdaa610c51bdc7f57fe33a6e0c44232b7e020b1fe8441f5f1610b7a96d
- SSDEEP
  
  12288:7ryVwGQ4bWldcKgyr8hFY+TAUd7p+puZ9:7rcwGZbedcFyr+d7pdZ9
Score

3^/10
behavioral7 behavioral8
- Target
  
  5c72bdbde9604fe063ee6f9ff6dcb0ff0e67a85dea42ea9b6e1eca544fe95005.exe
- Size
  
  132KB
- MD5
  
  1b9b7d3e176287048515eed7de829885
- SHA1
  
  ac3c5c28492e5a3a7242d8fc505caccc68447ae0
- SHA256
  
  5c72bdbde9604fe063ee6f9ff6dcb0ff0e67a85dea42ea9b6e1eca544fe95005
- SHA512
  
  8178f633a5b8b2701e96ab3efe4fafebf4b6e4bc1b4334225ddbdc84ed9fe306e82c5fb47df4d2bc0de55d09f637b4b7d8a5a729f35d0c8083250210f5859e6b
- SSDEEP
  
  1536:hv9FruuLT0KCMuuzO9YZQgmgUOy/QdkOe6MOzfCXf3SD00E:hvrbtCMVK9Y7xWQdZeT8KfJ
Score

3^/10
behavioral10 behavioral9
- Target
  
  843c4407865ab4d809f0e3b8a581bab50a330ad98c926d0f10540f451b6611d5.pdf
- Size
  
  58KB
- MD5
  
  d086b4ec8b44133be39501e2d50b6a80
- SHA1
  
  3566d4cf49c404b14393eec26205d143e8a18c28
- SHA256
  
  843c4407865ab4d809f0e3b8a581bab50a330ad98c926d0f10540f451b6611d5
- SHA512
  
  0c10d3804e4dc704fc957bf609c5906151665b4317e6b7d2ef6620f8ba5a31877e1f9bd7a5670df4cbaf13ed8a096f5269634606a513f25b8a066432b62984bd
- SSDEEP
  
  768:v6WYNDkxyrJxU9kknI0m/dn/4JitDHiGcZJOz4G3fpQwWTJ6C1Bo+zeZg5:v6Xgxy7vfdyitWJZs73fpqoC1q+Ee
Score

1^/10
behavioral11 behavioral12
- Target
  
  9859a4209ac3b00448b7552b993ff8120f0e7e7568b1c7ae55bf1f104889b3e7.bat
- Size
  
  1KB
- MD5
  
  168bcc063501d191d82aaa3a32741a12
- SHA1
  
  4920bb4feb3483412b8ab9ae800900e56c1bcf2a
- SHA256
  
  9859a4209ac3b00448b7552b993ff8120f0e7e7568b1c7ae55bf1f104889b3e7
- SHA512
  
  83e525ac798bd5afdd32c0fc223237e9fbe703ff1dd517d516f11064c37c2a61b47c5283f40d7c16f8adc97cd9c2fd2f78bf3d930352625accb0b2f118eed392
Score

7^/10
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral13 behavioral14
- Target
  
  Global B seed calculator.exe
- Size
  
  1.4MB
- MD5
  
  f7b044de5d0f3a6e69b6d092818e90b6
- SHA1
  
  93c5829f1b150ed65e87fb2ea16ea30188330d79
- SHA256
  
  5b4e8d189744d5082cf18c333f6cbe70a4363486374b8a8f8355fc19b164ba13
- SHA512
  
  95b06ab5484e42ff9728cecc9fe5e7ac816098f60f9fcf0eeee44c6aa12e34ba0f0094bfcb58275a80e2619e59bcd61c0d80b15e7c4019be0b38900cccaee28a
- SSDEEP
  
  24576:Vl0tHIJmHPhWeex7DNcyGeqnFBGVpDvh/WmAB80lB7HF:VykmHfextaF4VpM
Score

4^/10
behavioral15 behavioral16
- Target
  
  a713b4f480f15ef37e9f69efbe6ce77c9a24db0176d4225091d6910ab4daf0f4.exe
- Size
  
  128KB
- MD5
  
  4b3258b5521572d8581a78d2fd31a963
- SHA1
  
  a531f9dbe235ce112e82a0085bc88609f9b47b3f
- SHA256
  
  a713b4f480f15ef37e9f69efbe6ce77c9a24db0176d4225091d6910ab4daf0f4
- SHA512
  
  92962c64c6321dbd246f78ca2e3c971bb05bc504d59e1b8401a0c8ccd2cadfa198885dc0404c4b3b74b267ff597a0f370624b7792762a9df4c307f195229fb85
- SSDEEP
  
  1536:OO0PEh1LSntwC61a6iBfMXeGMv+wbVh/pv4wxwzTXvipAtboF0ML3OAw:OOb1L02Q64GMv+wbVh/tivm+oF0qOAw
Score

3^/10
behavioral17 behavioral18
- Target
  
  aeb663f8d0523fa21c265cc50ddb6eca80a8eb593d34520acd79c7da0cec02c6.exe
- Size
  
  3.3MB
- MD5
  
  28a4a09341c156bb01fb9a04e642a680
- SHA1
  
  1619cb184b76a57af2ec4a03f361a1bb2185a4cc
- SHA256
  
  aeb663f8d0523fa21c265cc50ddb6eca80a8eb593d34520acd79c7da0cec02c6
- SHA512
  
  a260a206de15cbad95d909941b55486a6e666e49cf3cba9ca24ac15cc7d0d691eeda13f920c78bcbf799a0189665e5ac4e00994014c0e6a996ffd12265932ba3
- SSDEEP
  
  768:CeMFhqVJ+Fw7dIZD4JoiIEPyH1zeEJ+ymup:cSJ0w7dAiRy8ELp
Score

3^/10
behavioral19 behavioral20
- Target
  
  b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f.msi
- Size
  
  3.4MB
- MD5
  
  5d9e72d1e3a99bec71fad561fa95037c
- SHA1
  
  fbc94c649ba3d8bb6c7e1d98e7fdeea40cd395b2
- SHA256
  
  b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
- SHA512
  
  8d0311d94a0de8646ec2733530a2db7d2c6e2b03f54e54ac0bc84538a636fe8211e6a582530d9ea8cd02ba08e259d778498d6f29e6744ba45f434d2a87874c97
- SSDEEP
  
  49152:E6rGohlj9szAlopTyWD57kEv53rw6cvOlM3w99xYF/gr/QaTdxKJWNYCILZ:qoSTyqk7vvO8Q9xU/w/QPOI9
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22
- Target
  
  c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350.js
- Size
  
  3.1MB
- MD5
  
  cf54d832051744f8a17d8883bb0d7579
- SHA1
  
  8996b0ea7579eefdc5b143d8e71e00fbabef2749
- SHA256
  
  c98083c89ba696fdc10a9528722e8673f70b0b1872b52fbda472a38d4cfbf350
- SHA512
  
  9918d08bdbcec5213e30cc732dbd0705bcc3a7db08090ae8366a57c9cbbb87296861c75eafb6f239deba92711d7cbacd482f2a25dea0ef96545fe00ae0cb40b6
- SSDEEP
  
  768:aBLsno5sVaEb33OSp4//6AtsaaiIWVibo1WFti/KaqQh:aBLso5sVaEb3+SAtsaaiBwU1WFyKnO
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral23 behavioral24
- Target
  
  ce7a72d2347fe2011815098caa7b5cb881a97780634ff1354194ab4865a6e0c4.exe
- Size
  
  1.2MB
- MD5
  
  b6401b5b0254dc9b20691f13d6089a9a
- SHA1
  
  0e75de0af345dbbdf3339a945397446cf5b66bbd
- SHA256
  
  ce7a72d2347fe2011815098caa7b5cb881a97780634ff1354194ab4865a6e0c4
- SHA512
  
  8f2f3f961b7f081fac6b1cad1f659e60ead03c3dc0792a22f631016bcaf5b7938d529d898b397f6e1902e363553c5729679bca2052000f2ada4a8db412c5a9f1
- SSDEEP
  
  24576:iR22fuzAfYMJabwTcoqmzuuYe02XJ+jQ5H8II45gbEMgL8:N2fuzuIbHTm7J+9FhG8
Score

1^/10
behavioral25 behavioral26
- Target
  
  dc1bab58ae5af6a4b8051a148d96ae713f319327959225d1860ab910f27e2658.vbs
- Size
  
  6KB
- MD5
  
  6b944c9dc4b760fffb56adf4fecf6764
- SHA1
  
  8fa45d0e0cfc8fcae4f02098dcce116375b221c0
- SHA256
  
  dc1bab58ae5af6a4b8051a148d96ae713f319327959225d1860ab910f27e2658
- SHA512
  
  feb78dc11edb6677e07ec1c58f49b9e2589c0ba4bfc94259aae7cd4f4ec9765a59dad0482015342dd4f64ae421c06c81cdf37ee71a0031ad7dfb111bcfe1920c
- SSDEEP
  
  192:NylNVeJFcd1PmJGfGMG8GGG0GVGKGsGCGIGyGoG5GRGVGlGCOG6GwG6GeGpGiG/J:wlNMJFQPmJGfGMG8GGG0GVGKGsGCGIGJ
Score

1^/10
behavioral27 behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Async RAT payload

Suspicious use of SetThreadContext

Unexpected DNS network traffic destination

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28