General
-
Target
AsyncClient.exe
-
Size
66KB
-
Sample
240723-a7mlwaxhla
-
MD5
63ea16bb999507c430e7133950d157d7
-
SHA1
e20dcfcf0c92a64a86bc48902c77d871aad52e15
-
SHA256
43138adeff58347b55fbb2d28d7ff2b5a240767ddbd15cb6c0e1f9e0bf72a2ec
-
SHA512
07f39923f30e09dfffb8d4b0e2507cbef3424c34cf8fae51ead6318c792f74c82c710fec376eebb20ad8fddd0f0cc1ccee6acabb8f865bc3898263010e26f986
-
SSDEEP
1536:D2wukvF1ak9gcKu5UYF4jieQCk2bHM+9ga+22d9rmTGBx:D2dkvF1ak9Ku5UYF4jihN2bH7d+F9Eyx
Malware Config
Extracted
asyncrat
| Edit by Vinom Rat
Default
saturday-surely.gl.at.ply.gg:30089
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
AsyncClient.exe
-
Size
66KB
-
MD5
63ea16bb999507c430e7133950d157d7
-
SHA1
e20dcfcf0c92a64a86bc48902c77d871aad52e15
-
SHA256
43138adeff58347b55fbb2d28d7ff2b5a240767ddbd15cb6c0e1f9e0bf72a2ec
-
SHA512
07f39923f30e09dfffb8d4b0e2507cbef3424c34cf8fae51ead6318c792f74c82c710fec376eebb20ad8fddd0f0cc1ccee6acabb8f865bc3898263010e26f986
-
SSDEEP
1536:D2wukvF1ak9gcKu5UYF4jieQCk2bHM+9ga+22d9rmTGBx:D2dkvF1ak9Ku5UYF4jihN2bH7d+F9Eyx
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1