asyncrat

General

Target

VoidFiles2.zip
Size

664.4MB
Sample

231211-xf51gagbc7
MD5

ecf79752508b52f24a7fdaf273f890b1
SHA1

3c48dc13e7658524ff834fbab1b546338ae2b396
SHA256

91a792fbaa722316a44a273c5696c8eb2c5a509d8d4359c1979e333698286f21
SHA512

9a3fb76590b11e42e00b9b7df35e879ed24490ed1c1689708734e87d2351ead3b8e5ca8fced4913b89257893899c9ce7c8e3fabf16c550ab8eaebdb26e0eeea0
SSDEEP

12582912:WC62Q8eGfBSPQ8i9ONgrdAqFBjxU1ZIOU09mJF7ITTeC7DIVeyElxiD01Lil:WZ3KSPQ8mOQPBjxU1vdATSyCYQ0414

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Metin2

C2

46.105.147.140:1602

Mutex

jhzyryasjjqctxmyu

Attributes

delay
3
install
false
install_file
svchost
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

46.105.147.140:7000

Mutex

29MMEOfEGnVwVjix

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

metin

C2

46.105.147.140:56243

Targets

- Target
  
  VoidFiles2.zip
- Size
  
  664.4MB
- MD5
  
  ecf79752508b52f24a7fdaf273f890b1
- SHA1
  
  3c48dc13e7658524ff834fbab1b546338ae2b396
- SHA256
  
  91a792fbaa722316a44a273c5696c8eb2c5a509d8d4359c1979e333698286f21
- SHA512
  
  9a3fb76590b11e42e00b9b7df35e879ed24490ed1c1689708734e87d2351ead3b8e5ca8fced4913b89257893899c9ce7c8e3fabf16c550ab8eaebdb26e0eeea0
- SSDEEP
  
  12582912:WC62Q8eGfBSPQ8i9ONgrdAqFBjxU1ZIOU09mJF7ITTeC7DIVeyElxiD01Lil:WZ3KSPQ8mOQPBjxU1vdATSyCYQ0414
Score

10^/10

asyncrat redline sectoprat stormkitty xworm metin metin2 collection discovery infostealer persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1