asyncrat | b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae | Triage

Sharing

General

Target

vd.txt
Size

10KB
Sample

240708-wj7g2a1dpp
MD5

f3a9219e977b293b8cb364f8c8378284
SHA1

6f5ee3933bc669d7af2acccc842c60db60be16f4
SHA256

b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae
SHA512

3960ed3091dfe3845832af7911c227c3e6f0cdfb97fd404224e1361ccb3d78e7b20a98fd3397ddd7e254113fb81983ca30f90cc28751390da3964a56ff2bfd91
SSDEEP

192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h

Score

10^/10

asyncrat exenew execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

ExEnew

C2

mrrobotos.duckdns.org:6606

mrrobotos.duckdns.org:7707

mrrobotos.duckdns.org:8808

Mutex

AsyncMutex_olahsklcnmdnfdsfsdfsd

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  vd.txt
- Size
  
  10KB
- MD5
  
  f3a9219e977b293b8cb364f8c8378284
- SHA1
  
  6f5ee3933bc669d7af2acccc842c60db60be16f4
- SHA256
  
  b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae
- SHA512
  
  3960ed3091dfe3845832af7911c227c3e6f0cdfb97fd404224e1361ccb3d78e7b20a98fd3397ddd7e254113fb81983ca30f90cc28751390da3964a56ff2bfd91
- SSDEEP
  
  192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h
Score

10^/10

execution persistence asyncrat exenew rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

executionpersistence

behavioral2

asyncratexenewexecutionpersistencerat

behavioral3

asyncratexenewexecutionpersistencerat

behavioral4

asyncratexenewexecutionpersistencerat