asyncrat | 43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae | Triage

Sharing

General

Target

Aircraft PN#_Desc_&_Qty Details.vbs
Size

2.7MB
Sample

240820-xx7wdssfkr
MD5

b6a6e732e7843e8af8468793eaaa294f
SHA1

4de793698450915e784e3a7f9df99b5b74241979
SHA256

43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae
SHA512

e37f804bb9020e51ac1ba8381aeda15ad5a2dde6ac875478fe0c5e6d3dbcebc38b6ee752604b21174b8198752219ed98e4bd423a0c24e1fa541d2d18c89b6e24
SSDEEP

768:pddddduddddddddduddddddddduddddddddduddddddddduddddddddduddddddo:TVKgi

Score

10^/10

asyncrat putty discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Putty

C2

krecgh.4cloud.click:6943

Mutex

OjZL4DoWlVCn

Attributes

delay
3
install
false
install_file
Automatic Settings.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Aircraft PN#_Desc_&_Qty Details.vbs
- Size
  
  2.7MB
- MD5
  
  b6a6e732e7843e8af8468793eaaa294f
- SHA1
  
  4de793698450915e784e3a7f9df99b5b74241979
- SHA256
  
  43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae
- SHA512
  
  e37f804bb9020e51ac1ba8381aeda15ad5a2dde6ac875478fe0c5e6d3dbcebc38b6ee752604b21174b8198752219ed98e4bd423a0c24e1fa541d2d18c89b6e24
- SSDEEP
  
  768:pddddduddddddddduddddddddduddddddddduddddddddduddddddddduddddddo:TVKgi
Score

10^/10

execution asyncrat putty discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratputtydiscoveryexecutionpersistencerat