asyncrat

General

Target

YENB0G9CNCEL.bat
Size

1KB
Sample

240812-tt8rqsygpr
MD5

0850bed86b58f6cc688a9bdc572cbb09
SHA1

4231a90ab16aa0486d28a07797977154c0407db6
SHA256

21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d
SHA512

75c7cc7977e4e641b02c7dea16dd4b0d11d1b867401cd11900d38b62698d3614125576d6ba1156d8e4843b19d081ce7399f9aa6e3539bf7f2692727d43d1578d

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/ba8ee9ec-b88f-4790-9a20-15398c1906da/e12f0f2d-542f-4d56-ab33-6696336c0e9c?temp_url_sig=f59339ce78a96139157b21132687d93c516b7e0dff5892c1129220cdce51dcb2&temp_url_expires=1722978000811&filename=AE.exe

exe.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/719ce3c5-8399-415d-82c3-ba4c5ebae040/451e981f-3416-484b-ba8a-6c3aae1417f9?temp_url_sig=556153ec968ac29ad231ea6c322f68ca67bb5cdcaac01d58e5fbd2c716a5edd8&temp_url_expires=1722977955443&filename=Client.exe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

185.169.54.165:7331

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  YENB0G9CNCEL.bat
- Size
  
  1KB
- MD5
  
  0850bed86b58f6cc688a9bdc572cbb09
- SHA1
  
  4231a90ab16aa0486d28a07797977154c0407db6
- SHA256
  
  21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d
- SHA512
  
  75c7cc7977e4e641b02c7dea16dd4b0d11d1b867401cd11900d38b62698d3614125576d6ba1156d8e4843b19d081ce7399f9aa6e3539bf7f2692727d43d1578d
Score

10^/10

execution asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2