asyncrat | ef5fa3f193d8205806fc945aea79ea2aeddb8845d1d9e81e22e57370db09c426 | Triage

Sharing

General

Target

Alertas y Notificaciones.vbs
Size

2.6MB
Sample

240726-t7ee2szdqq
MD5

f85469b805e7ccd3da7f69df07566f0d
SHA1

e9d9b0ddda2aa1e0345b1a88a491f0ee43bdcdc0
SHA256

ef5fa3f193d8205806fc945aea79ea2aeddb8845d1d9e81e22e57370db09c426
SHA512

4bc1d37bce587cd3a2ba02bd0341f7a718e5b8b974b769a46c12fbb1ca8df4424955436c3ae40b06cfaa3b9ad2085ed712ca77e1df5e0e34fffcf244b05b121f
SSDEEP

1536:bPPPPPPPPP9PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP5:/f

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

envioagosto29.duckdns.org:2020

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Alertas y Notificaciones.vbs
- Size
  
  2.6MB
- MD5
  
  f85469b805e7ccd3da7f69df07566f0d
- SHA1
  
  e9d9b0ddda2aa1e0345b1a88a491f0ee43bdcdc0
- SHA256
  
  ef5fa3f193d8205806fc945aea79ea2aeddb8845d1d9e81e22e57370db09c426
- SHA512
  
  4bc1d37bce587cd3a2ba02bd0341f7a718e5b8b974b769a46c12fbb1ca8df4424955436c3ae40b06cfaa3b9ad2085ed712ca77e1df5e0e34fffcf244b05b121f
- SSDEEP
  
  1536:bPPPPPPPPP9PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP5:/f
Score

10^/10

asyncrat default discovery execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoveryexecutionrat