asyncrat | hxxps://bumida-cloud[.]andalsoftware[.]com/updater[.]exe | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://bumida-cloud...

windows10-2004-x64

Resubmissions

18-05-2024 13:20

240518-qk6n8sdc7t 8

18-05-2024 12:52

240518-p4kqfacd77 10

Sharing

General

Target

https://bumida-cloud.andalsoftware.com/updater.exe
Sample

240518-p4kqfacd77

Score

10^/10

asyncrat 1877 execution rat spyware stealer upx

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://bumida-cloud.andalsoftware.com/updater.exe

Resource

win10v2004-20240426-en

asyncrat 1877 execution rat spyware stealer upx

windows10-2004-x64

26 signatures

300 seconds

Malware Config

Extracted

Family

asyncrat

Version

Xoshnaw

Botnet

1877

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1877

nerakar.duckdns.org:6606

nerakar.duckdns.org:7707

nerakar.duckdns.org:8808

nerakar.duckdns.org:1877

Mutex

3YeYWvX7BQIk

Attributes

delay
3
install
true
install_file
chroma.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  https://bumida-cloud.andalsoftware.com/updater.exe
Score

10^/10

asyncrat 1877 execution rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

urlscan1

behavioral1

asyncrat1877executionratspywarestealerupx

© 2018-2024

Terms | Privacy