asyncrat

General

Target

lmg_Angeia_Whlt_phto.zip
Size

5.0MB
Sample

240509-kr464ahe8w
MD5

876bf40ded4b67675eff104f2f89b21b
SHA1

5801a33a94a2a8a81ed5081a6e97c1260bc382d1
SHA256

046dd3e5190fd5fd304920b5388087f82b86df15061de3cbdd51c7a53d74b7cf
SHA512

3dfcb48a4e6af965459d8ba2fbb7e29fc2746f75b9be3bb9a68623dbeb71107ba8d69f150ea43b6540c735b71d5294e4bae0fc00ae93c8245cedbc63e2f49f21
SSDEEP

98304:SsN5V32ojes6QAmOwL/WhoapYxUWUTzPkbR90jYpcE03650K:SsNv32ojes69mVL+Yx6T4bR90j5K

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

MATIDOWN2

C2

141.95.84.40:6465

Mutex

wcawcaw

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

xxx1

C2

141.95.84.40:6468

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasas-3248IW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xenorat

C2

141.95.84.40

Mutex

asasaa33d3a143vaavwwv

Attributes

delay
5000
install_path
nothingset
port
6676
startup_name
nothingset

Targets

- Target
  
  lmg_Angeia_Whlt_phto.zip
- Size
  
  5.0MB
- MD5
  
  876bf40ded4b67675eff104f2f89b21b
- SHA1
  
  5801a33a94a2a8a81ed5081a6e97c1260bc382d1
- SHA256
  
  046dd3e5190fd5fd304920b5388087f82b86df15061de3cbdd51c7a53d74b7cf
- SHA512
  
  3dfcb48a4e6af965459d8ba2fbb7e29fc2746f75b9be3bb9a68623dbeb71107ba8d69f150ea43b6540c735b71d5294e4bae0fc00ae93c8245cedbc63e2f49f21
- SSDEEP
  
  98304:SsN5V32ojes6QAmOwL/WhoapYxUWUTzPkbR90jYpcE03650K:SsNv32ojes69mVL+Yx6T4bR90j5K
Score

1^/10
behavioral1 behavioral2
- Target
  
  '
- Size
  
  5.0MB
- MD5
  
  a21768190f3b9feae33aaef660cb7a83
- SHA1
  
  24780657328783ef50ae0964b23288e68841a421
- SHA256
  
  55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
- SHA512
  
  ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
- SSDEEP
  
  98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Score

10^/10

privateloader loader
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
behavioral3 behavioral4
- Target
  
  lmg_Angeia_Whlt_phto.vbs
- Size
  
  451KB
- MD5
  
  50dd276ecb219b58afb8dd4c72921930
- SHA1
  
  6900dcdd573f4261e32ee98f8e15817ea5b17c94
- SHA256
  
  c989926eb17a83e10fa18a7beb6e1a468c88740e157609db9dd7600498f6c148
- SHA512
  
  3639ec354ce49229d31fc662c97b50d233203c23571d7cb8b57cd7d42cef62afce629b9237a7e263e9986501a49c6cdaa7597a430f62ffc590830d4354e30f1c
- SSDEEP
  
  3072:CLo26YF/VCe4VTdRlTT8w4TWvxqtIgJdpe+og0S7wQzS18f8d6bb/g52D:4o26YF4xq3
Score

10^/10

asyncrat remcos xenorat matidown2 xxx1 execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral5 behavioral6