asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

36af16f1951a6edc1cbcd5a15c4bc1a68b2ce829a632e5ff2f37cf2167eac659
Size

1.6MB
Sample

240809-nme8yszepk
MD5

65eac0d399f8d77cdd49c0fe9be0d3ef
SHA1

3dbf25c4f491318b4434a6d38535fa3ca238a3e4
SHA256

36af16f1951a6edc1cbcd5a15c4bc1a68b2ce829a632e5ff2f37cf2167eac659
SHA512

9f351feb4ba5aa897d2e697b0b7d6426591d3671761ae557e2ad3f2f6fd4dc9a7c351fae6de12cd18702bf16527887c03e57200f329f85f3f08596f8690192b8
SSDEEP

49152:4JxKaBzsLRFbwBulRxN/1hvztB0WDoSzSohNP4Kp7odiw3iBTqt:4JxKaR+R5BUmrLNoUw2ut

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

D4Dot

154.61.75.91:4449

Attributes

delay
1
install
true
install_file
D4dot.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  De4dot [Modded ArmDot]/AssemblyData.dll
- Size
  
  59KB
- MD5
  
  e7855f2e55a5c7c3f25f122aeb801329
- SHA1
  
  fa4e4034e7fb4b19b717f68eead63b67ebd7b0bc
- SHA256
  
  9a7ec57a2bc5582753b449981e799b7e9f88ebeb63ae9ff226dced015b87a965
- SHA512
  
  30f4cfbceb39b9b1dba7159952912138b978ebe75e7adf47ec7e0313242b0e96fb9af78ed9244b45b60724e98a6e1966e474b655a16dc111c8a2cb20f2cc5182
- SSDEEP
  
  768:l3sCDXAIMlcHMMGfrbKUWNOR/6gOwe4iI+4q0OsK6gOwe4iI+4q0OsKiqk9C7XIO:7DQsHMJrbKBc0C7XIXZKNr7Jr
Score

1^/10
behavioral1 behavioral2
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer-CLR20-x64.exe
- Size
  
  4KB
- MD5
  
  bfa084eecdb01f256a319d0265987280
- SHA1
  
  fbc420e5df0d363dc3dfba41b6e9cb02fd90c8b3
- SHA256
  
  291d34f2e417eaff204da8daacf8215248a943e96c8476abaf4bdff63382fbc1
- SHA512
  
  83480f9c0976bcc0d6002789fe30f92814f8bb99411c4083f3a2fbeaf5796f592caa72f64d329133d0eca003be84e57f06ee3eddbc24cdc875a0db232cdec131
- SSDEEP
  
  48:6rh1CxV4rTMMHtPDp21gDyMkKKrn4ZLCVCOpfbNtm:jErTftbpgvr4kUAzNt
Score

1^/10
behavioral3 behavioral4
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer-CLR20.exe
- Size
  
  5KB
- MD5
  
  c0bb148fe70f58a3fe5bc59b9fb75011
- SHA1
  
  8b893ec93ec57e0797715658b7eedf6fab7c0ec8
- SHA256
  
  db0e50089cf8b71e660bcdcdff7dde554f77ecbeb9469cd75bb1764bcedcd8b2
- SHA512
  
  88d1f50caecafcd803747643182bf9f8458fe8beff896544cae7c8a7ba97812772c1d1bb8de2ce9d71b943b31ef13715e94a9d332798689cc7986f26b951224e
- SSDEEP
  
  48:6C1FdJYL4jgDMPtPORGrlv7TpKKWMACCVCGpfbNtm:BBJ7jg2txHvRYUIzNt
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer-CLR40-x64.exe
- Size
  
  4KB
- MD5
  
  beabd2dbdaee15eb90c5aa10cf7df26b
- SHA1
  
  6131aa0449e1cd3d0d51d4d1d5ba73486f8381a7
- SHA256
  
  e238499f9c3e7d7da98d15739b524ad3cb765f6ea5197569ba10f38adc9a2905
- SHA512
  
  fb1a5ba20e8e08dfe986139d8c292a46109a04d7d7f7d12ee2bd7d2f7df3f0b32f2a352d20ffea528d5b5c4b4761521590acef4cdf9316734f80194fddd2f438
- SSDEEP
  
  48:6wdh1CxV4rXXMMG1stP8yn3s4uVyYDyVADyqOKKrR4fNCVCOpfbNtm:BAErXXO1stkyc4urD0vr6kUAzNt
Score

1^/10
behavioral7 behavioral8
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer-CLR40.exe
- Size
  
  5KB
- MD5
  
  ebc64535f7781c84c07b4abf21015f43
- SHA1
  
  b40e8b32b6e21324b1c95b299a7ceb9e119d56e4
- SHA256
  
  eaa825861da74e551fcecb253a1e6dd6ded5f87a8df9490a687e655ffdf9f301
- SHA512
  
  33b170905f951ec96c83538a1e5ebba5694f883a3b90318df60fcf703f5e707ecfb5db7a4f6e8af5f7340ae0fc99e642362c7f2d85c2238626f722cd4a0f09be
- SSDEEP
  
  48:6wAFdJYL4jZqMztPtF7GrlvdT/KKsMSACVCGpfbNtm:fqJ7jZ5t77unvnYUIzNt
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer-x64.exe
- Size
  
  4KB
- MD5
  
  89cebfa16f180ccbc4bc2241882ac0f6
- SHA1
  
  c9248aa3d7e398a635d77c58bfdc0deb45f1b24d
- SHA256
  
  c0c8af9ebc5459b4a5a78337aa7fd6d24d9dbab77fd29d7d119209eab0e08be6
- SHA512
  
  649f5befc48de513460d31ed90b2ced9dc7b8841631d710a1d5f879debe461db72b963a51ec515b03f4e47aa16abe111b6f9d150913920469297c02274acdfb1
- SSDEEP
  
  48:6nVUkjB8a4PCMdtPb3JwULy28WiJDFTMiKK/y3VpCVCapfbNtm:Ch8/P3tT3jy2xiJlfvK2UMzNt
Score

1^/10
behavioral11 behavioral12
- Target
  
  De4dot [Modded ArmDot]/AssemblyServer.exe
- Size
  
  5KB
- MD5
  
  dd347ec0482aaf33be80f5dfaf7b18dc
- SHA1
  
  d6f75c22a5e0b101373e735298ac2f2086670568
- SHA256
  
  d9fe389bd53d1070355230ff51b83822374e50928949ebd774a97d7396972f66
- SHA512
  
  b4d21b2da240d847499f4cb7b240da9b8b2fedf1886b9099a26bb6722fd2c480314d591d48ef850a7352e729a3df1570af517dd205658d691cb598ae81981ae7
- SSDEEP
  
  48:6LZVeoa5cclTJGB1KrMQVWtPq1RTzo1u6td5AnLbKKyOQD0CVColNpfbNtm:AcXTJsItWti1RL6tgfvzQRUoBzNt
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  De4dot [Modded ArmDot]/de4dot -64.exe
- Size
  
  864KB
- MD5
  
  5adaa98a0b8e6411899f38807992afc6
- SHA1
  
  286990f8674e0369a9c27f4ffc346383c5c4b03e
- SHA256
  
  956a589c4da96ec8386890e9500918dfbfbab1caaae0adc0b9366fa25dc46e52
- SHA512
  
  700be06def67aa38426cef84d1394f2eb6b30a198857f48df0d6449e85251ee8af764f2574c66e769980275613738056c68c4dfbd0bd74dc255e5dd90254fff6
- SSDEEP
  
  24576:H/1vb3S3HSpqUXw/bD/ZOGsoXio18NwV+Zg:JiHaIg/obVYg
Score

10^/10

asyncrat d4dot rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral15 behavioral16
- Target
  
  De4dot [Modded ArmDot]/de4dot.blocks.dll
- Size
  
  142KB
- MD5
  
  460a56f0d20dbf7c9007e0dcc43d4bac
- SHA1
  
  2bcedaf94ed27310201f4b9b21b43f46523950ab
- SHA256
  
  ebaff98125abd5b3d07abdcb84cdeda9b036b89e9f25b4c93b955863ab2800ca
- SHA512
  
  4c29667b50c334ec28ede51c86f2aab927878fdadc5a5c8187a92eff104e56322a0e745b6534be3d67905b5901eb8e12827d9330f4d85e81b9ec2f92d93c9410
- SSDEEP
  
  3072:duLC5gCWwih0uX9XP1o6LV7FA/Be+4XveGbGqUg:dKEDWwkX9XPfLxF2BUvekGq
Score

1^/10
behavioral17 behavioral18
- Target
  
  De4dot [Modded ArmDot]/de4dot.code.dll
- Size
  
  1.1MB
- MD5
  
  548b21f05bedbb66d643e685cb185dcb
- SHA1
  
  c4d72e0889e7ad10fbdc53bd42aea27987009350
- SHA256
  
  6bb44aad327fdc4f0ccb29094c54839d8d0775c5902cfd9aed958324958c3583
- SHA512
  
  06eb1a2f775cf887c84f56f6d65eb8da7587a5979b95deac669558c6c364fc9f3e1b0f696f8b66fa9956b4c250f221d80ec4d0cd44ac3032e8fe7d34fb95e684
- SSDEEP
  
  24576:M2dXdCFHEZFB4/Kq4K7oZKDI3YrZqSBSASb:vdwFb/foZ+rZqSBSASb
Score

1^/10
behavioral19 behavioral20
- Target
  
  De4dot [Modded ArmDot]/de4dot.cui.dll
- Size
  
  42KB
- MD5
  
  509cb694c9e01ad329209db04456238d
- SHA1
  
  2d508683f0dfb8631abd1b85a616ca3068257892
- SHA256
  
  ccb365bf9d1bef2ca6b51dc3e7e2502ac7ccb0bdfa5c75c91482fac6b5b740d6
- SHA512
  
  c9d2cb7c28a6df9c177142d056cb73d3f25e7ce1ce670c074972d8d0babca653d87cc11894e0048ce30da0558334badc74514557ecf4ba6e7207a351c5597148
- SSDEEP
  
  768:EEGnQ1DRMu5Bwe5s5ECyqG7lIRyj/BjpG4sz3BaI4oOLlKgph:EQdR7we5s5N/G7lIRC4ryKgph
Score

1^/10
behavioral21 behavioral22
- Target
  
  De4dot [Modded ArmDot]/de4dot.exe
- Size
  
  864KB
- MD5
  
  5adaa98a0b8e6411899f38807992afc6
- SHA1
  
  286990f8674e0369a9c27f4ffc346383c5c4b03e
- SHA256
  
  956a589c4da96ec8386890e9500918dfbfbab1caaae0adc0b9366fa25dc46e52
- SHA512
  
  700be06def67aa38426cef84d1394f2eb6b30a198857f48df0d6449e85251ee8af764f2574c66e769980275613738056c68c4dfbd0bd74dc255e5dd90254fff6
- SSDEEP
  
  24576:H/1vb3S3HSpqUXw/bD/ZOGsoXio18NwV+Zg:JiHaIg/obVYg
Score

10^/10

asyncrat d4dot rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral23 behavioral24
- Target
  
  De4dot [Modded ArmDot]/de4dot.mdecrypt.dll
- Size
  
  21KB
- MD5
  
  37aa45ea47234d472c35d05772d1840b
- SHA1
  
  b5b706055bc47302c62f2ecb25466733f9dfede8
- SHA256
  
  5545bba373e0cf8a5f25b114c8a422f15e0971344a26b4447985232c2d8bf19a
- SHA512
  
  61d29719a842b90cc2c669f15647e751d56307682b67bfb3af65136036889d259b7f58caabe2185ee7b93c004eaf85f8a5b0f884df99f69fbe29a9625d4e64cd
- SSDEEP
  
  384:R7tK8BynZxsbsfioH0M1yrLhDg6qTTuprXtiSQgbytJNu:+8snZxsbi/uNg6qTShwCbyt+
Score

1^/10
behavioral25 behavioral26
- Target
  
  De4dot [Modded ArmDot]/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  de0069c4097c987bd30ebe8155a8af35
- SHA1
  
  aced007f4d852d7b84c689a92d9c36e24381d375
- SHA256
  
  83445595d38a8e33513b33dfc201983af4746e5327c9bed470a6282d91d539b6
- SHA512
  
  66c45818e5c555e5250f8250ea704bc4ca32ddb4d5824c852ae5dc0f264b009af73c7c1e0db1b74c14ee6b612608d939386da23b56520cac415cd5a8f60a5502
- SSDEEP
  
  24576:m+pL+hwfQvqx+yLjynb1YNzh/CNX7fegPeH3hid3Hc9ZEu5DkU6FPepU1VWv7fo0:sxvCLUJ
Score

1^/10
behavioral27 behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Async RAT payload

Checks computer location settings

Executes dropped EXE

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28