asyncrat | 042acd0b65bcddee8c08580e6b0a4cd65941801c218f339d3e532dd952252b33 | Triage

Sharing

General

Target

ade48125e600ea0434a894e7c5131462.bin
Size

54KB
Sample

240426-bz98msha78
MD5

73c7ce53453f9d771a86c7cfea66f89e
SHA1

ee29cfadd8ff6df1b92cb50ac8ea11b5facd0a15
SHA256

042acd0b65bcddee8c08580e6b0a4cd65941801c218f339d3e532dd952252b33
SHA512

9c75c394130e1749fb83bdfeb46ba77843b434b6152231bb9b20f6de2072fb5ee4a56f1e0a5b2a50ee2e52a51fe200da7855bc4f86c21ce89cfa2ec03bf3fc1d
SSDEEP

1536:cdxPpndw+im/4af/RmJeRZ3d3tH5P0yKto5+4:e73weprt3tHeyn

Score

10^/10

asyncrat remcos adfly miguelangeles persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

MIGUELANGELES

C2

139.99.133.66:6666

Mutex

asasasa4242asas

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

ADFLY

C2

139.99.133.66:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasasas-SEG6JT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  2f7971748b7db79bdd724861d1b463b0489b790b9e60e733dea409f73abf9539.vbs
- Size
  
  227KB
- MD5
  
  ade48125e600ea0434a894e7c5131462
- SHA1
  
  8b5e29fc3d490ebcba5295332c601d8165a67ec5
- SHA256
  
  2f7971748b7db79bdd724861d1b463b0489b790b9e60e733dea409f73abf9539
- SHA512
  
  f0fd0cb6486a79fd11a245900df0cbae4166895fd057847c3e0fa6feacc21fdfc3bbb334e7241e5d0f9474b83e93866cf6207e002301a7546e04cef7b2d04fd6
- SSDEEP
  
  3072:W0k79DqcN+xqgRPB5jzeTMJNHEPenFkCum03pvfpp03pp03pp03pA:jk79DqcgxqgRPBJeQJhEPeQr5
Score

10^/10

asyncrat remcos miguelangeles persistence rat adfly
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratremcosmiguelangelespersistencerat

behavioral2

asyncratremcosadflymiguelangelespersistencerat