asyncrat | 47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7 | Triage

Sharing

General

Target

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
Size

45KB
Sample

240806-rxzl5a1gpl
MD5

3b86abe4c79286ed06965c268968c03d
SHA1

64afe64ee719aa3526023a5f7edacd44db21bde4
SHA256

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
SHA512

68f108646437fd72622cd1f719b2092b095e67500502981c4b605c64acaa38c12f46a82e47318b405137e5112ff82ccb51bfbb953b67fd3d1e9a5de1c2874483
SSDEEP

768:juAKNTR4ydbWUnrGJmo2q7zL5P02FUFdxYkk8PIWzjbAgX3ih8QNd4sqyVUbGKZ9:juAKNTRZ22oLDmWBW3bnXSh8QN6sqEWh

Score

10^/10

asyncrat underground-cheat.com discovery evasion execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

underground-cheat.com

C2

server.underground-cheat.xyz:4449

bluedns.o7lab.me:4449

Mutex

underground-cheat.comunderground-cheat.com

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
- Size
  
  45KB
- MD5
  
  3b86abe4c79286ed06965c268968c03d
- SHA1
  
  64afe64ee719aa3526023a5f7edacd44db21bde4
- SHA256
  
  47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
- SHA512
  
  68f108646437fd72622cd1f719b2092b095e67500502981c4b605c64acaa38c12f46a82e47318b405137e5112ff82ccb51bfbb953b67fd3d1e9a5de1c2874483
- SSDEEP
  
  768:juAKNTR4ydbWUnrGJmo2q7zL5P02FUFdxYkk8PIWzjbAgX3ih8QNd4sqyVUbGKZ9:juAKNTRZ22oLDmWBW3bnXSh8QN6sqEWh
Score

10^/10

asyncrat discovery evasion execution rat underground-cheat.com persistence
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdiscoveryevasionexecutionrat

behavioral2

asyncratunderground-cheat.comdiscoveryevasionexecutionpersistencerat