asyncrat

General

Target

Invoice#1136309464.iso
Size

898KB
Sample

240605-n3dp3afe99
MD5

87d66ac004a13b5e303e8789bd137ca9
SHA1

1ee82232a77d898fc54ab7b34b37c88f7a8e1f6a
SHA256

a1ce6b762cb741d0da79d433721258c01cdd1794b00fef95d78e324c07202df2
SHA512

8cbb6361ef73dbce740ad70f589759654c10d1e1fb65d57fd8c494cb37787c416196fb07c7139badbd9976a0717c2a867e90470e9fe6fc55c414599d892b3ddc
SSDEEP

384:8sTu8Qyg9R6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cD:8s6+4JElDTo

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://162.244.210.92:333/kok.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/latest-v0.12.x/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Karem

C2

kareemovic11.duckdns.org:6606

kareemovic11.duckdns.org:7707

kareemovic11.duckdns.org:8808

Mutex

AsyncMutex_kinsdlmsjnsidhuybf

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Invoice#1136309464.wsf
- Size
  
  107KB
- MD5
  
  ab87b1030210083dfb5b1e4f11647846
- SHA1
  
  c53b4eaece77ca95b11b0facb82fc81af7e6735b
- SHA256
  
  5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58
- SHA512
  
  2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735
- SSDEEP
  
  384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR
Score

10^/10

asyncrat stormkitty xenarmor karem collection evasion execution password rat recovery spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- UAC bypass
  evasion trojan
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2