asyncrat

General

Target

ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299.exe
Size

909KB
Sample

240807-cd578s1eqe
MD5

c8efdf607fd50fdefbc76a3cc6a080a7
SHA1

abc7950d08edf60d26526f03521b4f34a5bfe811
SHA256

ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
SHA512

1af34ac458fdef4763b2b2af9d40df213da2a007d874ceaacf0c368c43e4a95476093ee1ad7bdf126922cbb2699b7505a956efa23fc8e814c0ecd5b407ce12bd
SSDEEP

24576:0K1e88CJPdUpyzrw2m93kKj8q3TsQ9Ud8x9x:V1ljJPdUpOw2+8WX9u8b

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

o7lab

C2

154.216.20.242:5000

gia.o7lab.me:5000

Mutex

GpMiIzUX7KoW

Attributes

delay
3
install
false
install_file
$77svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

gia.o7lab.me:26644

C2

gia.o7lab.me:26644

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

o7lab

C2

154.216.20.242:4449

Mutex

voddalsrlcsfjcxz

Attributes

delay
4
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299.exe
- Size
  
  909KB
- MD5
  
  c8efdf607fd50fdefbc76a3cc6a080a7
- SHA1
  
  abc7950d08edf60d26526f03521b4f34a5bfe811
- SHA256
  
  ab4d88e95480bb5ab60fab6bff16d132b390c1dd723d98616d40ff23fbad3299
- SHA512
  
  1af34ac458fdef4763b2b2af9d40df213da2a007d874ceaacf0c368c43e4a95476093ee1ad7bdf126922cbb2699b7505a956efa23fc8e814c0ecd5b407ce12bd
- SSDEEP
  
  24576:0K1e88CJPdUpyzrw2m93kKj8q3TsQ9Ud8x9x:V1ljJPdUpOw2+8WX9u8b
Score

10^/10

asyncrat neshta redline sectoprat gia.o7lab.me:26644 o7lab discovery evasion execution infostealer persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Neshta payload
- Modifies security service
  evasion
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2