asyncrat | d1d0c38ef8df250fffe727e3780bf58e7c3488d23ceab02e5d90e2019981da81 | Triage

Submit
Reports

Overview

overview

Static

static

3

NEAS.00699...JC.exe

windows7-x64

NEAS.00699...JC.exe

windows10-2004-x64

Sharing

General

Target

NEAS.00699e7d571857ff1e94e07352cf6c60_JC.exe
Size

1.3MB
Sample

231013-r834paae8z
MD5

00699e7d571857ff1e94e07352cf6c60
SHA1

9be668c2ea96a6549b23af2f6d43865b90725a0a
SHA256

d1d0c38ef8df250fffe727e3780bf58e7c3488d23ceab02e5d90e2019981da81
SHA512

7290983bc8956eb91529f0d75ef5ed37955f05603a1c1fd87c17fc5474966daf17c6cce8e80f0ba1c58651edd52cc235c50e9cdff2069a0f187e5f0bd4e20825
SSDEEP

24576:xxBPi0Fos9qUzo5ZxwJcuYMJQMxD0jLfEAEx9pnFVBPlLCTYpI:bBPi0Fos9/MXmcuYuxD03TExbFv0Yp

Score

10^/10

asyncrat sapphireghost persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEAS.00699e7d571857ff1e94e07352cf6c60_JC.exe

Resource

win7-20230831-en

asyncrat sapphireghost persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEAS.00699e7d571857ff1e94e07352cf6c60_JC.exe

Resource

win10v2004-20230915-en

asyncrat sapphireghost persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SapphireGhost

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:11907

127.0.0.1:4444

0.tcp.eu.ngrok.io:6606

0.tcp.eu.ngrok.io:7707

0.tcp.eu.ngrok.io:8808

0.tcp.eu.ngrok.io:8080

0.tcp.eu.ngrok.io:11907

0.tcp.eu.ngrok.io:4444

taaymhost.ddns.net:6606

taaymhost.ddns.net:7707

taaymhost.ddns.net:8808

taaymhost.ddns.net:8080

taaymhost.ddns.net:11907

taaymhost.ddns.net:4444

Mutex

SapphireGhost

Attributes

delay
3
install
true
install_file
SapphireGhost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  NEAS.00699e7d571857ff1e94e07352cf6c60_JC.exe
- Size
  
  1.3MB
- MD5
  
  00699e7d571857ff1e94e07352cf6c60
- SHA1
  
  9be668c2ea96a6549b23af2f6d43865b90725a0a
- SHA256
  
  d1d0c38ef8df250fffe727e3780bf58e7c3488d23ceab02e5d90e2019981da81
- SHA512
  
  7290983bc8956eb91529f0d75ef5ed37955f05603a1c1fd87c17fc5474966daf17c6cce8e80f0ba1c58651edd52cc235c50e9cdff2069a0f187e5f0bd4e20825
- SSDEEP
  
  24576:xxBPi0Fos9qUzo5ZxwJcuYMJQMxD0jLfEAEx9pnFVBPlLCTYpI:bBPi0Fos9/MXmcuYuxD03TExbFv0Yp
Score

10^/10

asyncrat sapphireghost persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratsapphireghostpersistencerat

behavioral2

asyncratsapphireghostpersistencerat

© 2018-2024

Terms | Privacy