asyncrat | 9b18ec35cd15fc61fa3ab053e2d83994c78cb7a7f66a3560bae910550463c039 | Triage

Sharing

General

Target

f7254a9c08493d0d105dfb942b7a0137_JaffaCakes118
Size

354KB
Sample

240418-ds2c9she64
MD5

f7254a9c08493d0d105dfb942b7a0137
SHA1

97dc52f9cf1571383abbc373020e1750dddc25ce
SHA256

9b18ec35cd15fc61fa3ab053e2d83994c78cb7a7f66a3560bae910550463c039
SHA512

d704757022983df98618ed4d227d85416d06f264e676fa1bf824fdcef388b4e06b3cfbaaa4698a882e50e000dee4865ad63a4b34c64bf0447a5708b00051894e
SSDEEP

6144:l+8J4dJZ5rq74bvKZKgODJ++zzqurh0V+WPzvIY+u3D+B8wsccBtSoPG:ALdtDbCKDhaYhozvlxT+BVsccDm

Score

10^/10

asyncrat remcos default host persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:2510

194.5.98.81:2510

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
20
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

194.5.98.81:7123

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
mstsc.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lfqwkauxufogluh
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PDA ORDER.exe
- Size
  
  423KB
- MD5
  
  d516c57c54c6c65ff050e16e871e71e2
- SHA1
  
  4ca54d94edec79b304a6b4d85e7d5d0dc87407ac
- SHA256
  
  74615bedcd52ff089b0ed9dede11c46cd27de39b0b52c309ad71175e79e53868
- SHA512
  
  e7125e5bc1ec11ab6c2961ca1aecb22de09e194bfad31d0309815522706580aff9acbfaac309aef0a4f4d8de0811e8bd9444ca46d6bd2838f54d1ba84764eddb
- SSDEEP
  
  6144:IHbY645rq7qbvKZKgOxJY+zzqArh0VuWPzvgY+u3j+B8wsOcBtSoA:gtQTbCKDRaOhGzvdxT+BVsOcD
Score

10^/10

asyncrat remcos default host persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratremcosdefaulthostpersistencerat

behavioral2

asyncratremcosdefaultpersistencerat