asyncrat | 873b8e34ed1b21cbcda6a874999ddb1e7a5513405b9e9327fcddc7965e79da8a | Triage

Submit
Reports

Overview

overview

Static

static

updater.exe

windows10-2004-x64

Sharing

General

Target

updater.exe
Size

11.0MB
Sample

240509-ejg4pshd8v
MD5

2aef09aa9d8c5abc0efc5ecdffe3d989
SHA1

a88b9c34bdd7fb19157be127daae59e82e206b7c
SHA256

873b8e34ed1b21cbcda6a874999ddb1e7a5513405b9e9327fcddc7965e79da8a
SHA512

006ca7e278eeb0a827e91722974ba6aa9aa5fdfa6c250eedce5bd6d7012dedbdd80b363f17847114bfd9a044131f44465c6d155b26a6170d109df240dab9cd5d
SSDEEP

196608:grk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgtrQn/CsMPNRRT:6YnOshouIkPftRL54Xnwg5iCsWN

Score

10^/10

asyncrat blankgrabber 1877 execution rat spyware stealer upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

updater.exe

Resource

win10v2004-20240508-en

asyncrat 1877 execution rat spyware stealer upx

windows10-2004-x64

19 signatures

30 seconds

Malware Config

Extracted

Family

asyncrat

Version

Xoshnaw

Botnet

1877

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1877

nerakar.duckdns.org:6606

nerakar.duckdns.org:7707

nerakar.duckdns.org:8808

nerakar.duckdns.org:1877

Mutex

3YeYWvX7BQIk

Attributes

delay
3
install
true
install_file
chroma.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  updater.exe
- Size
  
  11.0MB
- MD5
  
  2aef09aa9d8c5abc0efc5ecdffe3d989
- SHA1
  
  a88b9c34bdd7fb19157be127daae59e82e206b7c
- SHA256
  
  873b8e34ed1b21cbcda6a874999ddb1e7a5513405b9e9327fcddc7965e79da8a
- SHA512
  
  006ca7e278eeb0a827e91722974ba6aa9aa5fdfa6c250eedce5bd6d7012dedbdd80b363f17847114bfd9a044131f44465c6d155b26a6170d109df240dab9cd5d
- SSDEEP
  
  196608:grk0YXXOshoKMuIkhVastRL5Di3unSE3OQMAgtrQn/CsMPNRRT:6YnOshouIkPftRL54Xnwg5iCsWN
Score

10^/10

asyncrat 1877 execution rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncrat1877executionratspywarestealerupx

© 2018-2024

Terms | Privacy