asyncrat | 609b846da03d889d71b895ab6dd025642066a3b641b48c6486d5443c68f34d7e | Triage

Sharing

General

Target

17193228024.zip
Size

44KB
Sample

240509-l47y7acc2y
MD5

6b887c3c71500c05ff228fc10793795a
SHA1

28eb382ed84e04b3686b799307cfeaef65432b35
SHA256

609b846da03d889d71b895ab6dd025642066a3b641b48c6486d5443c68f34d7e
SHA512

0c2999aa72db279df70ddd78c163b4c1ceddf5f0899a481f838ef839ae4c6aa54908a403bb48666595cdf84ff4f15e04037814e509fa9c0a2c1d15c6c6fde1b4
SSDEEP

768:xyeNSvA/nu2hzTNstgGmunfvaQRoih6rznDUyyXQSAxeLGt3Kfkgii+XMKB0xdd:x5NH/u2NUgcHaQRod3DkQ9Faf5Sep

Score

10^/10

asyncrat remcos xenorat matidown2 xxx1 execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

MATIDOWN2

C2

141.95.84.40:6465

Mutex

wcawcaw

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

xxx1

C2

141.95.84.40:6468

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasas-3248IW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xenorat

C2

141.95.84.40

Mutex

asasaa33d3a143vaavwwv

Attributes

delay
5000
install_path
nothingset
port
6676
startup_name
nothingset

Targets

- Target
  
  17193228024.zip
- Size
  
  44KB
- MD5
  
  6b887c3c71500c05ff228fc10793795a
- SHA1
  
  28eb382ed84e04b3686b799307cfeaef65432b35
- SHA256
  
  609b846da03d889d71b895ab6dd025642066a3b641b48c6486d5443c68f34d7e
- SHA512
  
  0c2999aa72db279df70ddd78c163b4c1ceddf5f0899a481f838ef839ae4c6aa54908a403bb48666595cdf84ff4f15e04037814e509fa9c0a2c1d15c6c6fde1b4
- SSDEEP
  
  768:xyeNSvA/nu2hzTNstgGmunfvaQRoih6rznDUyyXQSAxeLGt3Kfkgii+XMKB0xdd:x5NH/u2NUgcHaQRod3DkQ9Faf5Sep
Score

10^/10

asyncrat remcos xenorat matidown2 xxx1 execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratremcosxenoratmatidown2xxx1executionpersistencerattrojan