asyncrat

General

Target

4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
Size

322KB
Sample

240730-tqhq5sxhkr
MD5

61c5a8e414a47b8cc2c69e1ac4370a35
SHA1

d6d66b31e7ebe3bd032a33fbe35fed2720fae964
SHA256

4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
SHA512

b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
SSDEEP

6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

PWhSiRkcxVoa

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b.exe
- Size
  
  322KB
- MD5
  
  61c5a8e414a47b8cc2c69e1ac4370a35
- SHA1
  
  d6d66b31e7ebe3bd032a33fbe35fed2720fae964
- SHA256
  
  4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b
- SHA512
  
  b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92
- SSDEEP
  
  6144:l5B8DY9c80tk5koaMrtonT8nzkwHgDKFaz4cHgo2TW:rB8DY9yYhaODRgDKiHgo2a
Score

10^/10

asyncrat redline stormkitty default diamotrix credential_access discovery infostealer persistence privilege_escalation rat spyware stealer upx execution
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2