asyncrat

General

Target

Rebel.7z
Size

8.0MB
Sample

240904-2a4bxaxenr
MD5

06598c035db9cbdfd2577ded793b97a4
SHA1

e2de172829430cecc3dc35b6e37167f13e75b301
SHA256

ebf1f88870aadeb5f22a893b6670c6ac9aaccef37dad26317e000146e3cc8a41
SHA512

502c56f1c45ee81818c119266eb1e782acabd5dfe2bc7c34c7ec4bb1dae2cb4905a19a6a9b86f761a189d02e972b17a156758f3ed7757545353d4480142a0931
SSDEEP

98304:WXd9vCIRiRGhnMj5gm0y0BAdZouKmQbbjktSZyv3vPYdlQ89lc9uYPvANDntb4/6:UhnayBEAyfvPYdlQowtPvAVGHC

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Rebel/Bin/Injector.exe
- Size
  
  4.8MB
- MD5
  
  8da7ffaee1e5988d56e536d37a5e5d7d
- SHA1
  
  ed799e5ec866ec3dff0bffb306de4b1ab2ca2361
- SHA256
  
  7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485
- SHA512
  
  34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16
- SSDEEP
  
  98304:2sscM3M0egRUUYdiVF0Zx5NMEuRdvwp1cpY1t83Szkkak0jIiGELfHNz:Vrf0egyUKiVF0rF+dmcQtQSzkkakuR7V
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  Rebel/Bin/Rebel.dll
- Size
  
  8.6MB
- MD5
  
  660d2429fc5f088bd197fb0958303936
- SHA1
  
  4189d1ba115f9e00caceb286f22655c6988e1eb6
- SHA256
  
  c9b95b9204234edfab46912d21953e3a6985a6b7d50c4fd63372e3d5361c7f3d
- SHA512
  
  9875fff045460f77dfc21cecd1de326d67778efd12fe8f53fc09bacfec807a9309752ed4bbb23653060fbee9152dd7c9a9bfda3a0c13c0375a1db932a02a197d
- SSDEEP
  
  98304:kz+S5QwKbQLCsjIpdUqsQf3/sfRMyxl5dn5Sz29f49EzFgfVp+t:WrS2LXjIpyDS3/0aWfmC
Score

1^/10
behavioral2
- Target
  
  Rebel/FastColoredTextBox.dll
- Size
  
  323KB
- MD5
  
  8610f4d3cdc6cc50022feddced9fdaeb
- SHA1
  
  4b60b87fd696b02d7fce38325c7adfc9e806f650
- SHA256
  
  ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
- SHA512
  
  693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09
- SSDEEP
  
  6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO
Score

1^/10
behavioral3
- Target
  
  Rebel/RebelCracked.exe
- Size
  
  154KB
- MD5
  
  76b3ef39824d31fde7ca5d27ae8700fa
- SHA1
  
  c03994080a4f1038d4a624499acedcf0fea737f3
- SHA256
  
  439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3
- SHA512
  
  3246594017abe3c4e208ce270388feecf23ec3032de73bb380aaebd17030263ff00e8270b2ab901efa993c2e896cd28a091b2b9a49986c98cd974826641f240d
- SSDEEP
  
  3072:0OovaAxpeK2dWUi60uu0JpZmTKv03lqUmPT01oSVeT5iu9d7:0OcpeK8lucpUCKlqUP/M
Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral4
- Target
  
  Rebel/System.CodeDom.dll
- Size
  
  30KB
- MD5
  
  59c830ac0d99f8c906292de85f804b84
- SHA1
  
  68b6740e6ce97de8b1398f3a6e320940a0e16458
- SHA256
  
  e8c88b0448083663910587efeacb6a1977749fe3ffe83b263fc01f7b63d7dfd2
- SHA512
  
  4028fa6b68eb3a48bb9625e6755c8e3022283694bb603905af3db54c31bc2f7291aec11f7c42a033703f84c3ff265a19416eb8798058cc42ee3c14c633e9588f
- SSDEEP
  
  384:FuE8ujCiLMTPji3h8241EEqYC0iIcwBxehzsCtZ7U6r1fDMqyt5/WduWTTb2HRNq:FDBCi4TWaveEqYChzZpgRoj/iP9zgBV
Score

1^/10
behavioral5