asyncrat | 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb | Triage

Sharing

General

Target

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
Size

1.7MB
Sample

240627-2vv62awemg
MD5

b7ca45674c6b8a24a6a71315e0e51397
SHA1

79516b1bd2227f08ff333b950dafb29707916828
SHA256

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512

f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f
SSDEEP

24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P

Score

10^/10

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

194.26.192.92:5552

Mutex

3c34302470a14b537cf05fcc9ade517d

Attributes

reg_key
3c34302470a14b537cf05fcc9ade517d
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7095863454:AAFGhBQqJXY7rFzi0CT99qZPVRwQpKI6R1A/sendMessage?chat_id=7257613869

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
- Size
  
  1.7MB
- MD5
  
  b7ca45674c6b8a24a6a71315e0e51397
- SHA1
  
  79516b1bd2227f08ff333b950dafb29707916828
- SHA256
  
  63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
- SHA512
  
  f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f
- SSDEEP
  
  24576:iRJSuMgl+JTBJ5aB3KoWWbHcXThtehTl5O9TLb:0IEFd/CTqR8P
Score

10^/10

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratnjratstormkittydefaulthackedevasionpersistenceprivilege_escalationratstealertrojan