asyncrat

General

Target

670d1014ec5713d005f8ddfefc495a9e.exe
Size

47KB
Sample

240729-hvb9daxhkr
MD5

670d1014ec5713d005f8ddfefc495a9e
SHA1

91362eaf33dc55e4d970fbefbda975be32628d6b
SHA256

70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd
SHA512

175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f
SSDEEP

768:EuwpFTAY3IQWUe9jqmo2qLPzXR8myUdPIvfc2C0b2lnNPVPUXHyk/UQsS25BDZ8x:EuwpFTA4/2KRx0vfb9bgnTUXHmpS2nd+

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

PWhSiRkcxVoa

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Targets

- Target
  
  670d1014ec5713d005f8ddfefc495a9e.exe
- Size
  
  47KB
- MD5
  
  670d1014ec5713d005f8ddfefc495a9e
- SHA1
  
  91362eaf33dc55e4d970fbefbda975be32628d6b
- SHA256
  
  70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd
- SHA512
  
  175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f
- SSDEEP
  
  768:EuwpFTAY3IQWUe9jqmo2qLPzXR8myUdPIvfc2C0b2lnNPVPUXHyk/UQsS25BDZ8x:EuwpFTA4/2KRx0vfb9bgnTUXHmpS2nd+
Score

10^/10

asyncrat redline default diamotrix credential_access discovery execution infostealer persistence rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2