asyncrat

Resubmissions

21-11-2023 02:40

231121-c57v5sbf69 10

21-11-2023 02:31

231121-cz55cscc61 10

Sharing

Copy URL

Twitter E-mail

General

Target

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
Size

18.0MB
Sample

231121-c57v5sbf69
MD5

ab572c3d1e6ecab24e20a1f858eb57a1
SHA1

76fcdcb011b4edf3f5178ab0e08033d89d628902
SHA256

6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
SHA512

7354a60e927ddbf44e47d7febb068b3792ade2a9dd96f6ea07d6bb036fff4eaaf19977649e9784c80ba61d3655598e0d82aed333b2cd9610aa35babfb9a7d7bf
SSDEEP

393216:ARFbqnGONtcDEo7nKhgqgLsqpbe9+MxAa+kiUTg5Dqw:ArU13o7ZLsAH5Sdw

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898655642749915136/Cypher_Rat.exe

Extracted

Family

aurora

37.220.87.13:8081

Extracted

Family

limerat

Attributes

aes_key
123
antivm
true
c2_url
https://pastebin.com/raw/mchxnAbT
delay
80
download_payload
false
install
true
install_name
WindosCert.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW

Mutex

ihouhh

Attributes

delay
80
install
true
install_file
UpdateChromeDay.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mchxnAbT

aes.plain

Extracted

Family

redline

185.215.113.69:15544

62.204.41.141:24758

45.15.157.131:36457

Attributes

auth_value
971353143dce4409844e1f4f0f5f7af8

Extracted

Family

redline

Botnet

@Miroskati

ofriaransim.shop:80

Attributes

auth_value
384ebbf9bd4d7e80bf3269909b298f87

Targets

- Target
  
  6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
- Size
  
  18.0MB
- MD5
  
  ab572c3d1e6ecab24e20a1f858eb57a1
- SHA1
  
  76fcdcb011b4edf3f5178ab0e08033d89d628902
- SHA256
  
  6414859077fe3aa6d35f0c46857f950262d487d4ee5b2d92d59f6e205340a1ee
- SHA512
  
  7354a60e927ddbf44e47d7febb068b3792ade2a9dd96f6ea07d6bb036fff4eaaf19977649e9784c80ba61d3655598e0d82aed333b2cd9610aa35babfb9a7d7bf
- SSDEEP
  
  393216:ARFbqnGONtcDEo7nKhgqgLsqpbe9+MxAa+kiUTg5Dqw:ArU13o7ZLsAH5Sdw
Score

10^/10

asyncrat aurora limerat redline @miroskati new evasion infostealer rat stealer upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Aurora
  Aurora is a crypto wallet stealer written in Golang.
  stealer aurora
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies security service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Blocklisted process makes network request
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Aurora

LimeRAT

Modifies security service

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Blocklisted process makes network request

Drops file in Drivers directory

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

VMProtect packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2