asyncrat | 44a6344f92cd1c3b44c1a6ffa47b1c9bef04261f06f2c523e674ec8eeafe73a8 | Triage

Submit
Reports

Overview

overview

Static

static

1

fb6aca6ece...18.vbs

windows7-x64

fb6aca6ece...18.vbs

windows10-2004-x64

Sharing

General

Target

fb6aca6ece036febbbec836dd55d1126_JaffaCakes118
Size

1.5MB
Sample

240419-3k1t7sbc7z
MD5

fb6aca6ece036febbbec836dd55d1126
SHA1

d9b521b67eae457b24cdb8f31665f7f276e4a14a
SHA256

44a6344f92cd1c3b44c1a6ffa47b1c9bef04261f06f2c523e674ec8eeafe73a8
SHA512

388eec18ef7727f1d1e54d4a8ae268ae7530fa315e01a9a1bce947d77369574fe05632e37b3809574793f96f3b129d567ecb6dea01d8b79afd35f240f38f4a39
SSDEEP

24576:Or4MUjzwp6YZcyXFt7J7UMx7F0l3ad42GdIUtBa71AakYeZyXFW7ROUMx4M6A:OkQ6m5t7dlUAUq7eKW7APp

Score

10^/10

asyncrat nanocore zgrat evasion keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

fb6aca6ece036febbbec836dd55d1126_JaffaCakes118.vbs

Resource

win7-20240215-en

asyncrat nanocore zgrat evasion keylogger persistence rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

fb6aca6ece036febbbec836dd55d1126_JaffaCakes118.vbs

Resource

win10v2004-20240412-en

asyncrat nanocore zgrat evasion keylogger persistence rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sys2021.linkpc.net:11940

191.96.25.26:11940

Mutex

c687c38e-2b2d-4d96-b5eb-9a31ccba603d

Attributes

activate_away_mode
true
backup_connection_host
191.96.25.26
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-31T11:35:52.654855036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
11940
default_group
Sys
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c687c38e-2b2d-4d96-b5eb-9a31ccba603d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sys2021.linkpc.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.2

C2

sys2021.linkpc.net:6606

Mutex

cd6-c2e0e3fbeef6

Attributes

delay
0
install
false
install_file
notepad.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  fb6aca6ece036febbbec836dd55d1126_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  fb6aca6ece036febbbec836dd55d1126
- SHA1
  
  d9b521b67eae457b24cdb8f31665f7f276e4a14a
- SHA256
  
  44a6344f92cd1c3b44c1a6ffa47b1c9bef04261f06f2c523e674ec8eeafe73a8
- SHA512
  
  388eec18ef7727f1d1e54d4a8ae268ae7530fa315e01a9a1bce947d77369574fe05632e37b3809574793f96f3b129d567ecb6dea01d8b79afd35f240f38f4a39
- SSDEEP
  
  24576:Or4MUjzwp6YZcyXFt7J7UMx7F0l3ad42GdIUtBa71AakYeZyXFW7ROUMx4M6A:OkQ6m5t7dlUAUq7eKW7APp
Score

10^/10

asyncrat nanocore zgrat evasion keylogger persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratnanocorezgratevasionkeyloggerpersistenceratspywarestealertrojan

behavioral2

asyncratnanocorezgratevasionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy