asyncrat

General

Target

lmg_Lana_Rhoades_353535.zip
Size

5.0MB
Sample

240509-kvpwksce65
MD5

c1a2d8869e09cf6b1766f24075541ea0
SHA1

545243049082bfcb3ab4f436d61ac7a85ef47dd4
SHA256

d7583824a4f031041c55bedbe81b7b93ba6c1c1c8e1fa348a97eca15a798631b
SHA512

92895a169f87bd4a2d41202888ff63972b39a85e5314dbca12688edd837a0d30d54e20a60adebd24bd08687f62bded1b3401b74f2f1543cac7526ee01e384ad4
SSDEEP

98304:SsN5V32ojes6QAmOwL/WhoapYxUWUTzPkbR90jYpcE03650RAe:SsNv32ojes69mVL+Yx6T4bR90j5RAe

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

MATIDOWN2

C2

141.95.84.40:6465

Mutex

wcawcaw

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

xxx1

C2

141.95.84.40:6468

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasas-3248IW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xenorat

C2

141.95.84.40

Mutex

asasaa33d3a143vaavwwv

Attributes

delay
5000
install_path
nothingset
port
6676
startup_name
nothingset

Targets

- Target
  
  lmg_Lana_Rhoades_353535.zip
- Size
  
  5.0MB
- MD5
  
  c1a2d8869e09cf6b1766f24075541ea0
- SHA1
  
  545243049082bfcb3ab4f436d61ac7a85ef47dd4
- SHA256
  
  d7583824a4f031041c55bedbe81b7b93ba6c1c1c8e1fa348a97eca15a798631b
- SHA512
  
  92895a169f87bd4a2d41202888ff63972b39a85e5314dbca12688edd837a0d30d54e20a60adebd24bd08687f62bded1b3401b74f2f1543cac7526ee01e384ad4
- SSDEEP
  
  98304:SsN5V32ojes6QAmOwL/WhoapYxUWUTzPkbR90jYpcE03650RAe:SsNv32ojes69mVL+Yx6T4bR90j5RAe
Score

1^/10
behavioral1 behavioral2
- Target
  
  '
- Size
  
  5.0MB
- MD5
  
  a21768190f3b9feae33aaef660cb7a83
- SHA1
  
  24780657328783ef50ae0964b23288e68841a421
- SHA256
  
  55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
- SHA512
  
  ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
- SSDEEP
  
  98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Score

10^/10

privateloader loader
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
behavioral3 behavioral4
- Target
  
  lmg_Lana_Rhoades_3535354.vbs
- Size
  
  450KB
- MD5
  
  a6ed8295bd4ad2fe95bb1692e3efe986
- SHA1
  
  64a5f9d2fa80f090d899f17558a656ef9be68860
- SHA256
  
  0e695b395928958ef79db16b09824e321d35b4079873e24b12bb1c21858de278
- SHA512
  
  db81232da6e1368cc7dc03af83e7763ed3ef46472624dc50e64c7bac9d647be8e742ca676d6231d2de2c104b0cf0490539d3ac79cd9813840dc5a233499ea695
- SSDEEP
  
  3072:7no6BYF/qCe4VTdRlTT8w4TWPzqtIgJdpe+og0S7wQzS18f8d6bb/g52D:jo6BYFvzq3
Score

10^/10

asyncrat remcos xenorat matidown2 xxx1 execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral5 behavioral6