asyncrat | b639a01836faf5ee4f143bf2067c13ab6f0300714a959e84fcf7c014654dfd5a | Triage

Sharing

General

Target

52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics
Size

84KB
Sample

240509-rbrz6agb52
MD5

52b71d4c548dba2c6a3f1b53ce4dfda0
SHA1

4054ca4f3497f886baeee6b0336118b9a82dfcfd
SHA256

b639a01836faf5ee4f143bf2067c13ab6f0300714a959e84fcf7c014654dfd5a
SHA512

aa27a9e20e3dfa72a29110f34cf9e27dfd3cdd8875b3cfb97ad9487134d6e75f874f3fd4d5f3155a8601670b277322ebe269c044dc2efee8843bc27878bc8ab3
SSDEEP

1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8xB:yFNpo6rIKlUE8fbkqRfbaQlaYYSB

Score

10^/10

asyncrat zgrat default persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

C2

connectpromidlsr.webredirect.org:6606

connectpromidlsr.webredirect.org:7707

connectpromidlsr.webredirect.org:8808

connectpromidlsr.webredirect.org:333

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  52b71d4c548dba2c6a3f1b53ce4dfda0_NeikiAnalytics
- Size
  
  84KB
- MD5
  
  52b71d4c548dba2c6a3f1b53ce4dfda0
- SHA1
  
  4054ca4f3497f886baeee6b0336118b9a82dfcfd
- SHA256
  
  b639a01836faf5ee4f143bf2067c13ab6f0300714a959e84fcf7c014654dfd5a
- SHA512
  
  aa27a9e20e3dfa72a29110f34cf9e27dfd3cdd8875b3cfb97ad9487134d6e75f874f3fd4d5f3155a8601670b277322ebe269c044dc2efee8843bc27878bc8ab3
- SSDEEP
  
  1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8xB:yFNpo6rIKlUE8fbkqRfbaQlaYYSB
Score

10^/10

asyncrat zgrat default persistence rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect ZGRat V1
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratzgratdefaultpersistenceratspywarestealer