asyncrat | 138be3a5769af371a332cf9404cca591cd78d594d6a072fa8047e222ac92770e | Triage

Sharing

General

Target

WebStealer Resou‮nls..scr
Size

362KB
Sample

240523-gqnaeafh2z
MD5

7c031479dedab585b453098453a09f35
SHA1

401ec0bf7ce170a67c0317150c2b83885e8abc54
SHA256

138be3a5769af371a332cf9404cca591cd78d594d6a072fa8047e222ac92770e
SHA512

17160d0c966c6ea6f8ac182ccd361baf2900dbfbf92ae59804861a404ba5a77a37e499ae0ac2588d46fcd26ce08d29a02e66b09894e4319212fb9f0d23a9643f
SSDEEP

6144:rBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:rTkqjVnl36ud0zR/6CtQ9PUHIG8Dn

Score

10^/10

asyncrat op os evasion execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

OP

C2

20.117.108.240:5612

Mutex

HssS7dvHeccj

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

OS

C2

20.117.108.240:7825

Mutex

IOr8QBoiV215

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  WebStealer Resou‮nls..scr
- Size
  
  362KB
- MD5
  
  7c031479dedab585b453098453a09f35
- SHA1
  
  401ec0bf7ce170a67c0317150c2b83885e8abc54
- SHA256
  
  138be3a5769af371a332cf9404cca591cd78d594d6a072fa8047e222ac92770e
- SHA512
  
  17160d0c966c6ea6f8ac182ccd361baf2900dbfbf92ae59804861a404ba5a77a37e499ae0ac2588d46fcd26ce08d29a02e66b09894e4319212fb9f0d23a9643f
- SSDEEP
  
  6144:rBx7iw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFmCaxHU0bM:rTkqjVnl36ud0zR/6CtQ9PUHIG8Dn
Score

10^/10

asyncrat op os evasion execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

Install Root Certificate

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

asyncratoposevasionexecutionpersistencerattrojan