asyncrat

Sharing

General

Target

4363.zip
Size

4KB
Sample

240812-1ah6as1arn
MD5

c62219655bc4fb0d790cf164313ec041
SHA1

1d87e99c70d93d15bac14d366e999b5fe55c805c
SHA256

12242edf565ceef037f775a78b12ad09d3237e57c77e403a8653160e27ec6d45
SHA512

7e1ef77a8bfefa8092a6e7bf1053a13a6ec212d2b5c661ac14c2f4c8c07468811c4474656e0a2ed4bc746926a3d271ae99424d59a3a9e155c88386cc6756243a
SSDEEP

96:8Bf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcE/:8BfwncSf8Cv3w9DZjKXjmBIKEvLs97DM

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
194.176.171.1
Port:
21
Username:
ftp
Password:
password1

Extracted

Credentials

Protocol: ftp
Host:
190.210.181.4
Port:
21
Username:
admin
Password:
aubergine

Extracted

Credentials

Protocol: ftp
Host:
80.86.146.5
Port:
21
Username:
ftp
Password:
root

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

100 RND

91.92.243.191:5401

Mutex

6871a79e-e4f7-4fb3-ae38-dc20c1d657a0

Attributes

delay
1
install
true
install_file
hyperhostvc.exe
install_folder
%AppData%

aes.plain

Extracted

Path

C:\tbHU4R71K.README.txt

Ransom Note

~~~ LockBit 5.08 the world's fastest ransomware since 2024~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.02 BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1q3jwsuxq572pucdcdytd420fvsvysmn2dquh0mk You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. After that, send a request with confirmation to e-mail , faster way! [email protected] or [email protected] If both email no answer, you need faster answer and unlock please use TOX You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: 47C90F99E92AC0ECEAD8C2BD15B21866EBC1195B6E2B0412CE3658E21B696843FF4A8D144B24

Emails

[email protected]

URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Targets

- Target
  
  4363.zip
- Size
  
  4KB
- MD5
  
  c62219655bc4fb0d790cf164313ec041
- SHA1
  
  1d87e99c70d93d15bac14d366e999b5fe55c805c
- SHA256
  
  12242edf565ceef037f775a78b12ad09d3237e57c77e403a8653160e27ec6d45
- SHA512
  
  7e1ef77a8bfefa8092a6e7bf1053a13a6ec212d2b5c661ac14c2f4c8c07468811c4474656e0a2ed4bc746926a3d271ae99424d59a3a9e155c88386cc6756243a
- SSDEEP
  
  96:8Bf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcE/:8BfwncSf8Cv3w9DZjKXjmBIKEvLs97DM
Score

10^/10

asyncrat phorphiex 100 rnd collection credential_access defense_evasion discovery evasion execution loader persistence privilege_escalation ransomware rat spyware stealer trojan worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Async RAT payload
  rat
- Contacts a large (5221) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (805) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  evasion execution
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1