asyncrat

Sharing

General

Target

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
Size

3.8MB
Sample

240408-br6v9ace61
MD5

1b018d9d77edf9c08d39bc6080cf50d2
SHA1

b24d472f1cb43e0c114de888e9726a6cb8fafca3
SHA256

45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
SHA512

854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
SSDEEP

98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je

Score

10^/10

Malware Config

Extracted

Family

xenorat

dgorijan20785.hopto.org

Mutex

Xens_nd8918d

Attributes

delay
5000
install_path
appdata
port
4488
startup_name
rar

Extracted

Family

asyncrat

Version

0.5.6A

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc4rc3ex7

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

2024+Apre2-new

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-3MW33TC

Attributes

gencode
XE9EWd209YcQ
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes

gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes

gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Targets

- Target
  
  45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf.exe
- Size
  
  3.8MB
- MD5
  
  1b018d9d77edf9c08d39bc6080cf50d2
- SHA1
  
  b24d472f1cb43e0c114de888e9726a6cb8fafca3
- SHA256
  
  45503927f90fe4aeae2c91c6f13d3a647338f44565cc2ca26ba0c1d49968c9bf
- SHA512
  
  854a81e05309fe51efd17a49f00f2cd95a01a815923b27b055296b1e5ca8c5c718b2bbaabf0bdafce3019201c26c63ecc199a9210cacbf12d5d110b888f395f4
- SSDEEP
  
  98304:rwcCJEcjXKOFlOd/iZujgERMOarjSaoYI6gYo1je:rVaawOd/vMsMOaPI6To1je
Score

10^/10

asyncrat babylonrat darkcomet warzonerat xenorat 2024+apre2-new new-july-july4-0 new-july-july4-02 infostealer persistence rat trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Async RAT payload
  rat
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Detects executables embedding command execution via IExecuteCommand COM object
- Detects file containing reversed ASEP Autorun registry keys
- UPX dump on OEP (original entry point)
- Warzone RAT payload
  rat
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Babylon RAT

Darkcomet

WarzoneRat, AveMaria

XenorRat

Async RAT payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects executables embedding command execution via IExecuteCommand COM object

Detects file containing reversed ASEP Autorun registry keys

UPX dump on OEP (original entry point)

Warzone RAT payload

Drops file in Drivers directory

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2