asyncrat

General

Target

index.html
Size

645B
Sample

240229-h2jxsshh5z
MD5

0e42af5ebfa6cdfd249f2abdb123497d
SHA1

cf41a6c23a8ec81bde87b284a1d558cfb4421059
SHA256

a7c90093e472d234feb011738baafc00b902be8f8e6bb714564bdcdbb47b9ea5
SHA512

f8813bf232f1e4805ebe6b6df817e9a33fdadbc72af71ae0d123f3970b198e7b689003484758687f5fe6dcfe2a6a4ad6a58207246c90e57f89af89cfa7377b76

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

TEST

C2

185.172.129.234:34244

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

llffqhbedsi

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/L6fX3GgP

aes.plain

Extracted

Family

remcos

Botnet

iruka

C2

91.223.3.151:4508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TG1HDZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  index.html
- Size
  
  645B
- MD5
  
  0e42af5ebfa6cdfd249f2abdb123497d
- SHA1
  
  cf41a6c23a8ec81bde87b284a1d558cfb4421059
- SHA256
  
  a7c90093e472d234feb011738baafc00b902be8f8e6bb714564bdcdbb47b9ea5
- SHA512
  
  f8813bf232f1e4805ebe6b6df817e9a33fdadbc72af71ae0d123f3970b198e7b689003484758687f5fe6dcfe2a6a4ad6a58207246c90e57f89af89cfa7377b76
Score

10^/10

asyncrat redline remcos default iruka test collection discovery infostealer persistence rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Async RAT payload
  rat
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1