asyncrat

General

Target

f05e4420dfc79226b34b0f7e3d1a65f1_JaffaCakes118
Size

3.1MB
Sample

240415-fnc6zshg4s
MD5

f05e4420dfc79226b34b0f7e3d1a65f1
SHA1

95c5fc288a628e2fba01879b0dbe0dbbd79ae74f
SHA256

bd887a31360a06cf6094b3b889bf7ec9d835c9642bff6a0ed98bb248f225bf24
SHA512

d427c45f260e9bd38fa5a843c4eeff5482c102ace9b3f083ce015e9ce303dd9c481b70a715764c3cec16c6dc0246ad66f251197945f52a13e4e5eab77542ce38
SSDEEP

98304:qw3BM5HPz7UtPTkJY58taa7RTBQl50HeaCdRd9zojPGuH:qw3EHPzOTkJYla7RTBQl509CdRd9zojH

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

whiteshadows.ddns.net:9731

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
microsoft 2.exe
install_folder
%AppData%

aes.plain

Extracted

Family

gcleaner

C2

g-prtnrs.top

g-prtrs.top

Extracted

Family

redline

Botnet

UPD

C2

185.215.113.45:41009

Extracted

Family

redline

Botnet

Liez

C2

liezaphare.xyz:80

Targets

- Target
  
  f05e4420dfc79226b34b0f7e3d1a65f1_JaffaCakes118
- Size
  
  3.1MB
- MD5
  
  f05e4420dfc79226b34b0f7e3d1a65f1
- SHA1
  
  95c5fc288a628e2fba01879b0dbe0dbbd79ae74f
- SHA256
  
  bd887a31360a06cf6094b3b889bf7ec9d835c9642bff6a0ed98bb248f225bf24
- SHA512
  
  d427c45f260e9bd38fa5a843c4eeff5482c102ace9b3f083ce015e9ce303dd9c481b70a715764c3cec16c6dc0246ad66f251197945f52a13e4e5eab77542ce38
- SSDEEP
  
  98304:qw3BM5HPz7UtPTkJY58taa7RTBQl50HeaCdRd9zojPGuH:qw3EHPzOTkJYla7RTBQl509CdRd9zojH
Score

10^/10

asyncrat gcleaner onlylogger redline sectoprat socelars default liez upd discovery infostealer loader rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Async RAT payload
  rat
- OnlyLogger payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2