General

  • Target

    http://gff

  • Sample

    240411-n9ekyabb63

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

rat1

C2

xfreddy2751.duckdns.org:6606

xfreddy2751.duckdns.org:7707

xfreddy2751.duckdns.org:8808

darkstorm275991.ddns.net:6606

darkstorm275991.ddns.net:7707

darkstorm275991.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    License.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

C2

mrreport.duckdns.org:6606

mrreport.duckdns.org:7707

mrreport.duckdns.org:8808

darkstorm2751.duckdns.org:6606

darkstorm2751.duckdns.org:7707

darkstorm2751.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks