asyncrat

General

Target

7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
Size

908KB
Sample

240806-qngjhszglk
MD5

32f55b892056a01033de479bb15f445e
SHA1

88771e023b11d778b444c3526d9dea80d16046bf
SHA256

7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
SHA512

fde50588f47412b6e5633f176fba5933366d488c9a79239e723b99c382d72a78717144f1055534d41b8b5dafda5a03943a747f7ff8ca6b254e029d78da23d825
SSDEEP

24576:VZv8Pq6L/0BGg6F8iKm9ZqWMv3OIi43nTJ+:mt/0sg6wm9gp3

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

o7lab

C2

154.216.20.242:5000

gia.o7lab.me:5000

Mutex

GpMiIzUX7KoW

Attributes

delay
3
install
false
install_file
$77svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

154.216.20.242:4449

Mutex

shoogvdlxg

Attributes

delay
1
install
true
install_file
$77pop2.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

gia.o7lab.me:26644

C2

gia.o7lab.me:26644

Targets

- Target
  
  7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
- Size
  
  908KB
- MD5
  
  32f55b892056a01033de479bb15f445e
- SHA1
  
  88771e023b11d778b444c3526d9dea80d16046bf
- SHA256
  
  7723fd269e8d6a1ada1fffae67bc1f8470fde6fed1ebecbe7df5c53deb4b6907
- SHA512
  
  fde50588f47412b6e5633f176fba5933366d488c9a79239e723b99c382d72a78717144f1055534d41b8b5dafda5a03943a747f7ff8ca6b254e029d78da23d825
- SSDEEP
  
  24576:VZv8Pq6L/0BGg6F8iKm9ZqWMv3OIi43nTJ+:mt/0sg6wm9gp3
Score

10^/10

asyncrat neshta redline sectoprat default gia.o7lab.me:26644 o7lab credential_access defense_evasion discovery execution infostealer persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2