asyncrat

General

Target

SecuriteInfo.com.Trojan.Siggen29.13373.31943.4048.exe
Size

322KB
Sample

240810-vzvbzazbmn
MD5

328b3cd833cb83faee5922244a1e7db6
SHA1

d7ab82401a0a02563d80ca2a417043c2917095d5
SHA256

30423fad469c19c4fa41f1028dcb5f393931125f000e50e20cbaa8301fa3e973
SHA512

8e90f4473e54134b459341b177a2c0116424de816f2791899f2d7e7c03fb4db9c761040c0442dab00e4cd20e02c613172c6de8610a1e718fdab69181bfbd2382
SSDEEP

6144:hXUqQ1N8txf0tk5kKLJ4y8TpXr3NgrRoezt1aOIkHgo2TWo:qqQ1N8tMYXV6XiFoeBHgo2a

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

QaF6X2cpj8fc

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note

[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Targets

- Target
  
  SecuriteInfo.com.Trojan.Siggen29.13373.31943.4048.exe
- Size
  
  322KB
- MD5
  
  328b3cd833cb83faee5922244a1e7db6
- SHA1
  
  d7ab82401a0a02563d80ca2a417043c2917095d5
- SHA256
  
  30423fad469c19c4fa41f1028dcb5f393931125f000e50e20cbaa8301fa3e973
- SHA512
  
  8e90f4473e54134b459341b177a2c0116424de816f2791899f2d7e7c03fb4db9c761040c0442dab00e4cd20e02c613172c6de8610a1e718fdab69181bfbd2382
- SSDEEP
  
  6144:hXUqQ1N8txf0tk5kKLJ4y8TpXr3NgrRoezt1aOIkHgo2TWo:qqQ1N8tMYXV6XiFoeBHgo2a
Score

10^/10

asyncrat default discovery persistence pyinstaller rat redline diamotrix defense_evasion infostealer ransomware spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Async RAT payload
  rat
- Renames multiple (678) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2