asyncrat

General

Target

fsp.txt
Size

10KB
Sample

240708-wgs7ma1cnn
MD5

c9f569bd4a2bdec00f03b7e30f47a8dd
SHA1

2cdd9694e58e8f3c9c8607f5cc6e31d10b482c32
SHA256

7b73596346a36f83b6b540bfc2b779fec228a050e6d7de631d0518b526b9b128
SHA512

98d631ad7749c3b7ebd02da6a00796f66951d42f9142fc1bb459904da253f8c90e974a491d4f1e1364f786a8ae8022080a24840260b01f73fd73e8c0fe9a54cd
SSDEEP

48:/L2tePUutEk+hDnqhdN6+W0K00ah0ZBjAPa:T2kPUGxwqhdN6l0K00xoi

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Hema

C2

lolroot.duckdns.org:6606

lolroot.duckdns.org:7707

lolroot.duckdns.org:8808

storeroot.duckdns.org:6606

storeroot.duckdns.org:7707

storeroot.duckdns.org:8808

storexroot.duckdns.org:6606

storexroot.duckdns.org:7707

storexroot.duckdns.org:8808

Mutex

AsyncMutex_9eurjf40i8eurjfiekfj

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  fsp.txt
- Size
  
  10KB
- MD5
  
  c9f569bd4a2bdec00f03b7e30f47a8dd
- SHA1
  
  2cdd9694e58e8f3c9c8607f5cc6e31d10b482c32
- SHA256
  
  7b73596346a36f83b6b540bfc2b779fec228a050e6d7de631d0518b526b9b128
- SHA512
  
  98d631ad7749c3b7ebd02da6a00796f66951d42f9142fc1bb459904da253f8c90e974a491d4f1e1364f786a8ae8022080a24840260b01f73fd73e8c0fe9a54cd
- SSDEEP
  
  48:/L2tePUutEk+hDnqhdN6+W0K00ah0ZBjAPa:T2kPUGxwqhdN6l0K00xoi
Score

10^/10

execution asyncrat hema rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft WebBrowserPassView

Nirsoft

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4