asyncrat

General

Target

robloxedo.exe
Size

11.1MB
Sample

240506-l8ylbabg89
MD5

d3611d0ab0b97b6d07c7af9a5adb2a1d
SHA1

a5da8163036698bf4d2b8d3508861bd5d2219014
SHA256

4f206fa1d3a1ea145ad327bf8530243d0a58b2f313d80b5c74c11c8cc3f7809e
SHA512

834a7bb8c2133c6e71712963aaccbd70cbdbb7460a96d9347ec8c8e66c9c9e7ad755da60931d3bcef87f45755eb23189306570ecaaa5da237eec898dd4532067
SSDEEP

196608:Xrk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgV0nEX32zwVv+RQ6Qhm6Ytn:JYnOshouIkPftRL54XnwgVZ3giGKc6Yt

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

Xoshnaw

Botnet

1877

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1877

nerakar.duckdns.org:6606

nerakar.duckdns.org:7707

nerakar.duckdns.org:8808

nerakar.duckdns.org:1877

Mutex

3YeYWvX7BQIk

Attributes

delay
3
install
true
install_file
chroma.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  robloxedo.exe
- Size
  
  11.1MB
- MD5
  
  d3611d0ab0b97b6d07c7af9a5adb2a1d
- SHA1
  
  a5da8163036698bf4d2b8d3508861bd5d2219014
- SHA256
  
  4f206fa1d3a1ea145ad327bf8530243d0a58b2f313d80b5c74c11c8cc3f7809e
- SHA512
  
  834a7bb8c2133c6e71712963aaccbd70cbdbb7460a96d9347ec8c8e66c9c9e7ad755da60931d3bcef87f45755eb23189306570ecaaa5da237eec898dd4532067
- SSDEEP
  
  196608:Xrk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgV0nEX32zwVv+RQ6Qhm6Ytn:JYnOshouIkPftRL54XnwgVZ3giGKc6Yt
Score

10^/10

asyncrat zgrat 1877 evasion execution rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1