asyncrat | app_any_run[.]rar

General

Target

app_any_run.rar
Size

27KB
MD5

818b626fe5521aa9f85e6097cd79b642
SHA1

289f85840eb2805c4cc5d307fd312b0079bd4073
SHA256

4ddb9f4ee3827f468354af0ab8dcb71a2aa8f8637fa8fcbb63e083b4fa5b2d77
SHA512

b06bb6bf4b0f342bd557aeab66c43c86f06bac0c5899a467b97a2e9b602ef25dc07286b5af79915dcd41d4857e24c1263b201c29fa05c4ef3facff2908c01117
SSDEEP

768:3F9kJ3iEJS3tWuMhwQznlIJ0aLlYLLYmlwC:3fMiKS3tEwQznqaaZYJ

Score

10^/10

rat dominios 777 asyncrat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://live.sysinternals.com/Sysmon.exe

exe.dropper

https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig-with-filedelete.xml

Extracted

Family

asyncrat

Version

1.0.7

Botnet

DOMINIOS 777

C2

liverpool777.duckdns.org:7094

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

Async RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack002/4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116	family_asyncrat

Asyncrat family
asyncrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116

Files

app_any_run.rar
.rar

Password: 123
app_any_run_conf_audit.ps1
.ps1
malware.zip
.zip

Password: infected
4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116
.exe windows:4 windows x86 arch:x86

Password: 123

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: 123

Password: infected

Password: 123

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 43KB - Virtual size: 42KB

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 43KB - Virtual size: 42KB

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 512B - Virtual size: 12B