asyncrat | c7e08a1387ca0de53b3df7f03494c34eacbdd651ca1056f4abf8fd4c87cadb10 | Triage

Sharing

General

Target

Sarah_Louise_Harris.zip
Size

5.0MB
Sample

240302-cvgk7sgh6t
MD5

315ec58200accfb0735fb57cef176c12
SHA1

4d03c26f6336d5ddf0930fe689724210e5a54393
SHA256

c7e08a1387ca0de53b3df7f03494c34eacbdd651ca1056f4abf8fd4c87cadb10
SHA512

6a05262c4fc8e92e60d6d7ee2527d5e8a4e6b3cc6cdf75fd56e015649787ddd5d51d1cdcfe6560a2129e30f534665ba9936e2a28e85472d6cb6fa4a134d84b60
SSDEEP

98304:VLn13KEj+sIis/usqLfeFMgrU/CuSzXJqz/7kp2ZQeK3kpybz:VL13KEj+sIb/u/L+U/szEz/7kRBbz

Score

10^/10

asyncrat kalelgato persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

KALELGATO

C2

141.95.84.40:4291

Mutex

askaskaskas

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  '
- Size
  
  5.0MB
- MD5
  
  a21768190f3b9feae33aaef660cb7a83
- SHA1
  
  24780657328783ef50ae0964b23288e68841a421
- SHA256
  
  55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
- SHA512
  
  ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
- SSDEEP
  
  98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Score

3^/10
behavioral1 behavioral2
- Target
  
  adsutil.vbs
- Size
  
  96KB
- MD5
  
  40783c2ee0f33af59955a012b68a9923
- SHA1
  
  edf2d5838d271bdc982eecbb24e3d9e5ef715a81
- SHA256
  
  4f49f96a32e4fb64cd6c103ce99a381673988bbd6b83ed8594973aa9ae760f56
- SHA512
  
  aa916093f80fbc8015b845fd21cefc2b3d71d85b02d2ace07efa3c16ace4710c46bee46c5303d97812f6172203d1a666a8edbf9948c770fda4ac123e09ce8887
- SSDEEP
  
  768:8A9i5H/CZoH5RUt4VXZzZq3Wib0aWV8BaKa0BEfEMWDIcVEKu:d9i5H/CZozqxnVEKu
Score

10^/10

asyncrat kalelgato persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

asyncratkalelgatopersistencerat