asyncrat

General

Target

cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
Size

1.7MB
Sample

240807-cma4fsyakl
MD5

b770d62550d8ff48c7fd45dd04d790f2
SHA1

3c4747ad182898466a9314e536fda1fe5983db42
SHA256

cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
SHA512

602a3f853fad15269234257501386a12d8992b0390ae8f2808c2f31ab56c75746cde5b913843fa82277fbe6837a1eb0feb7df636d1bc6026d359f578e5154413
SSDEEP

49152:cKJU9ltTMMRYpY4TJtqjv7KtGQdHyedH7:zi5TMM+Dg7K0WHj7

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

o7lab

C2

154.216.20.242:5000

gia.o7lab.me:5000

Mutex

GpMiIzUX7KoW

Attributes

delay
3
install
false
install_file
$77svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

C2

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

gia.o7lab.me:26644

C2

gia.o7lab.me:26644

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

o7lab

C2

154.216.20.242:4449

Mutex

voddalsrlcsfjcxz

Attributes

delay
4
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7.exe
- Size
  
  1.7MB
- MD5
  
  b770d62550d8ff48c7fd45dd04d790f2
- SHA1
  
  3c4747ad182898466a9314e536fda1fe5983db42
- SHA256
  
  cb8c4074612cd630a1907bf5aeb4c2ec70bd8ecff6dac5ef1f4704a36abc38c7
- SHA512
  
  602a3f853fad15269234257501386a12d8992b0390ae8f2808c2f31ab56c75746cde5b913843fa82277fbe6837a1eb0feb7df636d1bc6026d359f578e5154413
- SSDEEP
  
  49152:cKJU9ltTMMRYpY4TJtqjv7KtGQdHyedH7:zi5TMM+Dg7K0WHj7
Score

10^/10

asyncrat neshta redline sectoprat gia.o7lab.me:26644 o7lab discovery evasion execution infostealer persistence rat spyware stealer trojan defense_evasion
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Neshta payload
- Modifies security service
  evasion
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2