asyncrat | e296925add362ceb26927e02439ad56accc8ce03b14712fbd4dd41377be036aa | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

win10

windows10-2004-x64

Sharing

General

Target

Statment#5173642159.html
Size

1KB
Sample

240712-ra7zzsyeja
MD5

1231d299fcd9917fde1326f9ef677361
SHA1

f92479f63b0279c16e8499fe294e7b3d81da5942
SHA256

e296925add362ceb26927e02439ad56accc8ce03b14712fbd4dd41377be036aa
SHA512

0b76638bad3c2036c048b4b381a6192a14ed8770545d73ad8d49990ce30bd725b75fa721578e47cad8b946f63cc2e3681014acf72ba4af3598adba9e49345205

Score

10^/10

asyncrat elsa3eed execution rat

Static task

static1

Behavioral task

behavioral1

Sample

Statment#5173642159.html

Resource

win10v2004-20240704-en

asyncrat elsa3eed execution rat

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Elsa3eed

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/C7vDhgZQ

aes.plain

1
29HguhkpmhwXeqzA2hbaZnbqxtQKQXTB

Targets

- Target
  
  Statment#5173642159.html
- Size
  
  1KB
- MD5
  
  1231d299fcd9917fde1326f9ef677361
- SHA1
  
  f92479f63b0279c16e8499fe294e7b3d81da5942
- SHA256
  
  e296925add362ceb26927e02439ad56accc8ce03b14712fbd4dd41377be036aa
- SHA512
  
  0b76638bad3c2036c048b4b381a6192a14ed8770545d73ad8d49990ce30bd725b75fa721578e47cad8b946f63cc2e3681014acf72ba4af3598adba9e49345205
Score

10^/10

asyncrat elsa3eed execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratelsa3eedexecutionrat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.