General
-
Target
40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa.exe
-
Size
605KB
-
Sample
240415-bg1aqadb8x
-
MD5
78f7efed48c531657b84cd66911c7eef
-
SHA1
eedcf0f081c78adfcefe3e9208bc83b252f1b4aa
-
SHA256
40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa
-
SHA512
519a27a1d28e855d2b8c128f8723200ff7f790069f8087a2c6470e8437b12192a444a79ff4024cf278215db718391e770b783dc167ea321efbfc76e2411c26df
-
SSDEEP
12288:JvqsfIozrJqppjn1rmq12WaD+1Fri1xbcR:h9vrMjn1r5aCjg9cR
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa.exe
-
Size
605KB
-
MD5
78f7efed48c531657b84cd66911c7eef
-
SHA1
eedcf0f081c78adfcefe3e9208bc83b252f1b4aa
-
SHA256
40ba4a68575cda8b4da56ef2efae3f3c217bf7b78d68c29086e86d324d3ebffa
-
SHA512
519a27a1d28e855d2b8c128f8723200ff7f790069f8087a2c6470e8437b12192a444a79ff4024cf278215db718391e770b783dc167ea321efbfc76e2411c26df
-
SSDEEP
12288:JvqsfIozrJqppjn1rmq12WaD+1Fri1xbcR:h9vrMjn1r5aCjg9cR
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Async RAT payload
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables referencing Discord tokens regular expressions
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing credit card regular expressions
-
Detects executables referencing many VPN software clients. Observed in infosteslers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables using Telegram Chat Bot
-
Detects executables with interest in wireless interface using netsh
-
Detects file containing reversed ASEP Autorun registry keys
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-