asyncrat

General

Target

batch.exe
Size

194KB
Sample

240713-ezp49avhrk
MD5

5cd0d1cc05f646037164ab9fceacf995
SHA1

1eab49d606689ac01f2423441a553ec829854a65
SHA256

342fda83ad4d56696ec349715775d5b6f5b3bbb46e57918b9e7b458c75be2a87
SHA512

4b755c993531a95cf51362607b78b0fee15ffe133a0951d1e9f18582d8092c99a7fbe30679d8b2279d5cecfeb09291e4e053dd7bacd884a644976193348ba37e
SSDEEP

3072:96Up6fIk/wZypP/9F/ix/A9wXnDLn1mFbTYGtdGt3WzZb29b/zSLpSoSE:96Wd6/9FO/AmL1mFbckdGtmzYR/zAc

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

!DEAD CODE TOOL'S

C2

chapter-designated.gl.at.ply.gg:27729

Mutex

!DEADCODEMutex_lm.deadcode

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  batch.exe
- Size
  
  194KB
- MD5
  
  5cd0d1cc05f646037164ab9fceacf995
- SHA1
  
  1eab49d606689ac01f2423441a553ec829854a65
- SHA256
  
  342fda83ad4d56696ec349715775d5b6f5b3bbb46e57918b9e7b458c75be2a87
- SHA512
  
  4b755c993531a95cf51362607b78b0fee15ffe133a0951d1e9f18582d8092c99a7fbe30679d8b2279d5cecfeb09291e4e053dd7bacd884a644976193348ba37e
- SSDEEP
  
  3072:96Up6fIk/wZypP/9F/ix/A9wXnDLn1mFbTYGtdGt3WzZb29b/zSLpSoSE:96Wd6/9FO/AmL1mFbckdGtmzYR/zAc
Score

10^/10

asyncrat !dead code tool's rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2