asyncrat

Sharing

General

Target

dfe21baea2a1898113da529289fb1b29
Size

3.1MB
Sample

240326-xq8t4shg28
MD5

dfe21baea2a1898113da529289fb1b29
SHA1

c70700683d67f169d208c245e7c77f3e9e0ef24f
SHA256

6f35ab9d6aed8b8df1754149da79be5cdadae7b5366e8f2be46d9370f7e920c0
SHA512

974190730bf2b3d68728ab24ce3798bc6a174e83bf9ef7faed7e746c10803a20801337e4d687c54f21df82f79d3fd208d8bfdf0ea3262eb9de593e387ce93bef
SSDEEP

98304:1N/rg6gL9U8iiQ1NOIo9aHg0UerlpZibnEgHf8pdF:jGL9UPV1gvaHCeZgnEg/u

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia801503.us.archive.org/18/items/cmd_20210302/CMD.TXT

exe.dropper

https://ia801508.us.archive.org/11/items/server_20210419_0848/Server.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601409.us.archive.org/31/items/SNEPSE/SNEPSE.txt

exe.dropper

https://ia601508.us.archive.org/11/items/vbs_startup_update/vbs_startup_update.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601503.us.archive.org/13/items/startup_20210219/Startup.txt

exe.dropper

https://ia601408.us.archive.org/2/items/server_20210224/Server.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601408.us.archive.org/18/items/server_20210428_0903/Server.txt

exe.dropper

https://ia801402.us.archive.org/6/items/bat_20210331/bat.txt

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedriveupdate.net/Def/GoogleUpdate.bat

exe.dropper

https://archive.org/download/cc1_20210403/cc1.txt

exe.dropper

https://onedriveupdate.net/Defender/Microsoft.png

exe.dropper

https://onedriveupdate.net/Def/all.bat

exe.dropper

https://onedriveupdate.net/Def/all.txt.lnk

Extracted

Language

ps1

Source

URLs

exe.dropper

https://archive.org/download/bat_20210322/bat.txt

exe.dropper

https://archive.org/download/ch1_20210330/ch1.txt

exe.dropper

https://archive.org/download/google-update.txt/GoogleUpdate.txt.lnk

exe.dropper

https://archive.org/download/startdefender/startdefender.txt

exe.dropper

https://archive.org/download/codeali/codeali.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia801400.us.archive.org/0/items/bat02/bat02.txt

exe.dropper

https://ia601505.us.archive.org/10/items/server_20210407_0725/Server.txt

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost

194.5.97.183:8888

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-I7JWWI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

185.19.85.168:8888

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-6MZBDK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

nanocore

Version

1.2.2.0

103.147.184.73:6710

127.0.0.1:6710

Mutex

8baa2875-f63e-4a2e-afee-b90bd3b663ce

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-25T13:18:56.232824736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6710
default_group
HBOY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8baa2875-f63e-4a2e-afee-b90bd3b663ce
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
103.147.184.73
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

185.19.85.168:8888

216.230.75.62:1107

103.149.13.196:8621

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

netwire

185.19.85.172:1723

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

103.147.184.73:5719

Targets

- Target
  
  ALL.txt
- Size
  
  1KB
- MD5
  
  e10ccf0df3bde87d260ae2e058d21695
- SHA1
  
  7f8d334707d840b7e14a4cbd1c66af0926a32e2f
- SHA256
  
  b8ae83fe360ccdff72f83b7fe889c1639804c03d59452dfaeabacfa12e5b2830
- SHA512
  
  826b0e61d29a22c0ba07d8851f1fe54aa5afa7c73b973cc4ebfe84222f7f5806f58ee28b9374e03d0c45ca3a47216c71e5278e10bd1530dd6e57511bdace3058
Score

8^/10
- Blocklisted process makes network request
behavioral1 behavioral2
- Target
  
  ALL_2542.txt
- Size
  
  3KB
- MD5
  
  e566227772aa8b231f0f4f6bb26c5226
- SHA1
  
  9f9e0fa509ac16ccda57118aefa1cc17d9cc1086
- SHA256
  
  b84a4fd7e50b874f58cec583afa47122c5df0d2e877cc2cb214c5d966041f20f
- SHA512
  
  e7da2b75ea4fd3f197caf9917c759887616cf80ac63716f8a771d2b7bc964595f9520e23ea90192407a2b9a4e29d2a4e616aac8bcb315c1867f82705287991b2
Score

1^/10
behavioral3 behavioral4
- Target
  
  ALL_LLLLLLLLLLLLLLLLLLLOOOOOOOOOOOOOOOLLLLLLLLLLLLLLLL_34567890.txt
- Size
  
  3KB
- MD5
  
  646f1640760609657e234cb71760c8d9
- SHA1
  
  2a7bd40d48c0230337888c3fe9e55b9b0c29aede
- SHA256
  
  3727093267004d53bc9942dbaeb64c0a33dfbbbbfac0f86cbeb1b05085e93466
- SHA512
  
  add034d30a08bf540153ce5502acface6a23fe088d2d7806335d6317cd3e519c4a1e00ef36f4ce4446a8462b83a54087769eff2c11c2b9da600b060e7e0e2068
Score

1^/10
behavioral5 behavioral6
- Target
  
  ALL_jjnb.txt
- Size
  
  3KB
- MD5
  
  7639ce98636cbcbc33776ceaff693d58
- SHA1
  
  ef5c25e840df022d2dab20bcb11d6bd1a7fe4668
- SHA256
  
  6a4b4cab55933522b7c1a461ea223ab189395c24881be261f01ba17385fe4f7e
- SHA512
  
  c124254ab402710aee83cb72865c078f19cceaf1a1bce39fdb9e7192738f75d7f9802ba1e97271a0da92765c0f13aa630ebec6e5a908c2715e820060ab0b4093
Score

1^/10
behavioral7 behavioral8
- Target
  
  ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt
- Size
  
  3KB
- MD5
  
  82b03449ba40acce677c446e285cf2d3
- SHA1
  
  3d1a33cb55e24e2d1ecc7866fd1d6c1a81ed9c16
- SHA256
  
  448136ff34f3cab65705872be94f84ed8d30b934aa00729d41a455497e62184c
- SHA512
  
  04e4233ad0bf018c86b9555164ba7a8c8a6e1b9e04797d752196ec36d5a05f7b9515e0e1e41b9a875e6890d3df2b88f874ba7f02593f969cf669ff13d530daa7
Score

1^/10
behavioral10 behavioral9
- Target
  
  ALL_stealer_newww_23435656787989.txt
- Size
  
  2KB
- MD5
  
  770cd5779b4c0cb20003dbc36f2b54dd
- SHA1
  
  ed5dcf2504e87e45c5b3e65d0442f2e6e3b43717
- SHA256
  
  5b939997aba79215a7ca93894170b49da9222b14204efe96157220af8f1a49d3
- SHA512
  
  9d865c8360955c53d92ffc816c69980ea70d673dd017264b3251a71f6d3160a11bed2a527cef69d6a94faa59d63d3caec83d91e3e72527b566580741c5753114
Score

1^/10
behavioral11 behavioral12
- Target
  
  Server.txt
- Size
  
  1.6MB
- MD5
  
  b5795726bb04f5f9584184ae1f50777b
- SHA1
  
  91b250e76c41066a009b70200c5254a40980228b
- SHA256
  
  5d9ba7ab51a7d06ad420cb23f7c1e02b911fe2e25d7af1eebe25d1690231d784
- SHA512
  
  10ba2e523af4ccdf3e1e0867aa4d50a58919f5d39073bac17a8ab491f5ce09bcbda0730b9485a503adccfa323642b19e29879a0ad88f609d683080b668ef95fb
- SSDEEP
  
  6144:Bc4OfuoxyrvHyRmUVWZatYgOXqrDSArJFDN:xpul
Score

10^/10

zgrat rat remcos remotehost
- Detect ZGRat V1
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  Server_1faa.txt
- Size
  
  1022KB
- MD5
  
  237ee8e11875f3993a29a61d6d20d09c
- SHA1
  
  96b8e653f486975e420dba4d7e25736627543080
- SHA256
  
  28be1304d7a2f20f015672afe5d72fd287a251f07a7a06b30c57685ae27ce0f8
- SHA512
  
  89f7154aa8272cff8df9b89ac8adaec84343a26ac9157720cfbbdf00a7da688e6731006c1f0ea48d77167f740216cc6157bcb4c66a8d261f4bc67d02598a88b9
- SSDEEP
  
  12288:Vm8eHNHc142NYv5rNHI4ppN5mAy5BmqgJr64Zdy670D1wp6gPC9GJTgjse0YRVF1:006uFuaj
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  Server_77251.txt
- Size
  
  1022KB
- MD5
  
  2352e6c5e2c71eadedc4b1d1a75eac79
- SHA1
  
  4467d978577f2ed268cac8e3027f07637c890de7
- SHA256
  
  b12ae24085460abf05fccc1b18438a6894fb7ac6018ee7d35f033911aa4f8ba0
- SHA512
  
  5937c03b23cf2ff6992491259c73e7bbcdc3ce3780c373cfeb484eaea0933263f10c270132a61f745e5776fd335ebb83ce77162567c6d958f87632b416f96e5e
- SSDEEP
  
  12288:Bm8eHNHc142NYv5rNHI4ppN5mAy5BmqgJr64Zdy670D1wp6gPC9GJTgjse0YRVFU:g06uFBaj
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  Server_LLLLLLLLLLLLLOOOOOOOOOOOOOOOLLLLLLLLLLLLLLL_45675435465678.txt
- Size
  
  515KB
- MD5
  
  339fd47dbecb8574ae6f8771034c41cc
- SHA1
  
  03d9bec2f5e5da35c76c75428f3de001e1a3feef
- SHA256
  
  e206e6828623f5b5798137d87457176444418946ebabf902bd39bc05e73a8447
- SHA512
  
  c02aaba41bcfb4a40952246fc2cfcf215ff241fa951cadf6470dfffaced46e512d0973dd2c30ac928844f1fefd3d0317c8bc2c8cae3b0593ad63b11caeb62ba0
- SSDEEP
  
  6144:ct08l5UU0ggfgvF88+/+YXcNMFJEz7YlR9epsRWO6BBY1muAirbd:TJc7M8BMj
Score

10^/10

nanocore keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  Server_asnn.txt
- Size
  
  200KB
- MD5
  
  5a46f618eb96097cf1ba0cef8d21b4f6
- SHA1
  
  32e8ef3358c42a9b8fec743e6db027e426153343
- SHA256
  
  eeadb25a0452957734ff500887bdd77ddfee0f925c58ed81b68ddc8677406315
- SHA512
  
  650aebf29c4ad32130ecdf6c7a8df59e90d08acbf346e1f76d55de9c97c798acc3c3d4e5032dcce32eac674d430c1e53372ef65d22a7aa84f8f1ec3618f93305
- SSDEEP
  
  3072:0n3FSCub20xXQ3ApL8X/g1o1vZvuAirbd:0n3td3ApMY1muAirbd
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  Server_lkmm.txt
- Size
  
  431KB
- MD5
  
  f3bbcf28264047524b0b16a20bb21340
- SHA1
  
  fbf285e21112e4d7a484ef8cf90457fee27f2bd8
- SHA256
  
  060e0c047d589d6d8e03ab222d1f0ca47125cb4208395c2b31e74826c551e6e6
- SHA512
  
  927479f310f3d339b0558fdbc8aa37cf8a31b8fa1adf39aec3a524031665855465055cfee84ee7f1e32751a524f9c29e2cfffcef006822f1bc97b95e95eb6bd3
- SSDEEP
  
  12288:cvPBMdT3nt3cPA17+zZ6pmtPK22Qa8HWT2hc8ivjG5A8QvmZjgT+C3c+tER2YMe8:qzEj
Score

10^/10

netwire botnet rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  Server_lol123.txt
- Size
  
  762KB
- MD5
  
  10305a80924712940646cca278cee796
- SHA1
  
  6db80d4b3828f14ae105df2ba8ab3eccf2ab682f
- SHA256
  
  2ec32c9efdb4ba49efc12bfda4ebc8dde498c618e3746f71ba72da884f8573c0
- SHA512
  
  7efc040a317bcd3b5f3692f5930ecfea7cd4c52dd65727ed0c24907d3c01a142fb0f9b805cd21743ab635d1c00e8c4f3da0d2d8384dce308c7c296f2a1369c09
- SSDEEP
  
  6144:ZWG30D0btNi7GUMC0a4dqWzYnx6fLRNmgvlFw9GMC68jDnyZT1JUOCN3N4mGNY/N:LZtnNqONsZtnNqOg
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  Server_lol_123.txt
- Size
  
  762KB
- MD5
  
  1ef210e44c2f164c6b788b900ac4ce32
- SHA1
  
  f56f4937589a59358064d6130f40da9347c5f74f
- SHA256
  
  7b8a03c6807998387600ac79caf1ce7838d4313419965328191ba66635fa4e37
- SHA512
  
  7b0a09b0e6d3ebb4b1aff182f046c3abfd9da1ea9a4c0d4de0a73ffad0e8ce44cccb73e05f74aa933bc41292c870c3ec86a647953e3de31df01691d99cb98adb
- SSDEEP
  
  6144:ZWG30D0btNi7GUMC0a4dqWzYnx6fLRNmgvlFw9GMC68jDnyZT1JUOCN3N4mGNY/r:LZtnNqOM3zZtnNqOg
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  Server_lolllllllllllllllllll_kkkkkkkkkookkkkkkkkkkk_2345678980.txt
- Size
  
  306KB
- MD5
  
  34446cf1dce57c6bbf4f44aa5d3675fb
- SHA1
  
  b4efe197fbcbe28beda44ede2ef8516ed951a0c9
- SHA256
  
  0f93f99cacceffa66e7b39641991bc99b4cbe5aac7b63f4cd21f55147a55971a
- SHA512
  
  d198f6cf552c4333ac255de119e4bea111d759c030b9da3a52700cc0a91cdcc122c70fe21ce068a137ff5bc40a42b99437c522ac473b2a6c0d45f85f31c03a31
- SSDEEP
  
  6144:p1V/V9xOh9RfHD60Q/i0RB9cthBjDOaqIQrIcGPnY1muAirbd:p1V/xONW/iHyj
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  Server_stealer_newwwwwww_345675743567.txt
- Size
  
  2.0MB
- MD5
  
  fccdd6525ce8c770cf10d365a1c5a62a
- SHA1
  
  9eae52d447bcd24f6b93da225360fb216aa18dee
- SHA256
  
  e16cc0c0aa552685a1475659f0c89b73446532c62e9ac49dc979ecef323f4f31
- SHA512
  
  7a1bd82a9ed08f95709485ab951ca56c00913292b4181694dfe98ae2c0c43c6f1e559fe9a4f6b1b3ebcc9a0db99d963e15a5faaec948c2f5b74a897a27260d1e
- SSDEEP
  
  6144:S1V/V9xOh9RfHD60Q/i0RB9cthBjDOaqIQrIcGPWCf:S1V/xONW/iHT
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Detect ZGRat V1

Remcos

ZGRat

Suspicious use of SetThreadContext

Remcos

Suspicious use of SetThreadContext

Remcos

Suspicious use of SetThreadContext

NanoCore

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Suspicious use of SetThreadContext

AsyncRat

Suspicious use of SetThreadContext

AsyncRat

Suspicious use of SetThreadContext

WarzoneRat, AveMaria

Warzone RAT payload

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32