asyncrat

General

Target

dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe
Size

3.5MB
Sample

240615-cyr64swene
MD5

8a6607f6727f04bc2d700ab5f71a349f
SHA1

9af1c2b76477e9f417d563cfe600bdce227987ac
SHA256

dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
SHA512

3248d452ea3103a8db0a20898b7cb02195700194781152fae60eebc7f38fad422c1abd65ff32cff0b32cb8b98a0e9638ceae8fc1895b8b31d18250cfb95d07a3
SSDEEP

98304:kAI+3RFiuGHYZMHKpiqTQtrPPSrRYTT4VlZMNdnCx+XxydsuV9ssSV:jt3R9YZRqKzPSNnVlZInlwFkn

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

KGB-2024

C2

alice2019.myftp.biz:2525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DO2MY2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

0.7d

Botnet

T1-2024

C2

Alice2019.myftp.biz:5552

Mutex

3cec14c682a69cb8fafb5026acd55133

Attributes

reg_key
3cec14c682a69cb8fafb5026acd55133
splitter
Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

alice2019.myftp.biz:7707

Mutex

GmT0S52TfMTy

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe
- Size
  
  3.5MB
- MD5
  
  8a6607f6727f04bc2d700ab5f71a349f
- SHA1
  
  9af1c2b76477e9f417d563cfe600bdce227987ac
- SHA256
  
  dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
- SHA512
  
  3248d452ea3103a8db0a20898b7cb02195700194781152fae60eebc7f38fad422c1abd65ff32cff0b32cb8b98a0e9638ceae8fc1895b8b31d18250cfb95d07a3
- SSDEEP
  
  98304:kAI+3RFiuGHYZMHKpiqTQtrPPSrRYTT4VlZMNdnCx+XxydsuV9ssSV:jt3R9YZRqKzPSNnVlZInlwFkn
Score

10^/10

asyncrat njrat remcos default kgb-2024 t1-2024 discovery evasion execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables packed with or use KoiVM
- Detects file containing reversed ASEP Autorun registry keys
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2