asyncrat | 003e16179a388b3d84bfb26a3a7d48e2428ab8953ccc69b5b3a26574f71e8872 | Triage

Sharing

General

Target

fv645458456550656894659461646_Pdf (3).uu
Size

697B
Sample

240723-vwwevstdnb
MD5

46a7132a89ee1178c327ba0380f95c3a
SHA1

ce37eea85eff12ef11b8efe45f95bbfa6d2b0eb7
SHA256

003e16179a388b3d84bfb26a3a7d48e2428ab8953ccc69b5b3a26574f71e8872
SHA512

d42040cf79ee2a87b85f200911737317e560bf0e0b1e6c91ff81668d552443ceebbb7b3e091bb79909332e448198ea1196aef88e7a8f21620aca48022e2a98c0

Score

10^/10

asyncrat default discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://firebasestorage.googleapis.com/v0/b/documentos-1b4a9.appspot.com/o/2207.vbs?alt=media&token=29f70419-a771-4403-90c3-30dc64c96114

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

asyn8097.duckdns.org:8097

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  fv645458456550656894659461646_Pdf.Bat
- Size
  
  28KB
- MD5
  
  54c9e929aa6ea3e1e5957f9b0aee4e69
- SHA1
  
  2c6e7d48b6951f59c4fcddfeb65b0e07e96394ac
- SHA256
  
  c210d65973ad42a433a440c7716e92631c14ea6614f628ed0c540fae3b54e991
- SHA512
  
  a075910c9707f49a9ffa6673ab2eb29ff3e0c2cabbb521ad7101c999f50bc7bd75b6e49eaa8d7f3d9db109c06bdbb56980b46317a23ed5d7d87dcacdd0e1ce2b
- SSDEEP
  
  12:3xzJZ+O2P5g0it981k771o3tkRXFOuHeTgQ1tgQzu0:3x2P5g0i/7ZetYV7QEQzu0
Score

10^/10

execution asyncrat default discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultdiscoveryexecutionpersistencerat