asyncrat

General

Target

クラック.7z
Size

13.6MB
Sample

240907-xbzynaycrj
MD5

54c52e25c1c6a0317989132380dbc657
SHA1

b94d9cc24ef97aba0cb888332689f58c45733515
SHA256

8fa20e75067bd411342a6e03a8ec28a484d4d412981236fc3b009d9f424a60dd
SHA512

acb98dea4e7ac49b385d4a67190001255a006d4307576cf67cd838f38424a723008f360d7c0f7d0dc7ea337d83ac097ea1b59722938e800174f52829ad1e3907
SSDEEP

393216:EykaltwhhSK8bAdRTQbMnAqXQrLgQ1zlE:EyVXoTQbMQhxE

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\APOCBU-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .APOCBU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/3d14d11fb9b6f438 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALzY8nZgxFl93EoG+k/Tbo0xq7e4RXNLpru9OPgbksj2e7N9RBDo99daxHFovSG2PWnAqdZ7+L+zyK3v7KFySUgg2XCEubill1VBRN27FmCv/NlRM4W90VGsTn6i/nZLriSRANErkO/5va17HbnSgXae/rb3vzAQrwhiaUhooA2PvqIcy4J0xbUkq+grbf8wvvdHxe6E/LILc3zUSpTTJqedy6IReuJmK4TjeRMItby8xPSsYESyC7sUISpUUSJBM+zKPRcA8gFZBBV1g1VloVKo8Im7cp/yX5wmVFibjvB9bF+7aLDZgi1BgmPGRnYDlA2uUfBqcB+77vWFhSndl1lGfqqqe00RxK/Gc5X0tOeAMcFBHx60xOpRIPt5MAoQVdbSMdLoBp9P8hblALLDI66SY8CCzct3N00G4EG1opXAdw79+dHb/oX7c6cideM5lMlkKy/Xaxxkuae0EcrD2BtL4zInOJ2LK6MuFsYuh2OrBPOGa5RTvH/Qd5N356hqsRw7Mx6BMysIEW8gMOIyjq/cO2Quv1CHjXTvOBMoEYKmgF9y1dP/JWSRZn5FiZ0Sou0cC12Wf6+J0rmZmRNkPzjXpRlqH1s61yJGXz+tcrMHBOL2/NtCCOOjZWqOlavsmsrTPDY4wgiXfxG52TAIL5sqgYevfMlFNBDWB1Cqk2DI/rZAYM0YSn+9ijrQhX3+aHX1VTZgqVQv50R2QlMXV2IJITnzOj5MfZL5qjrq0rGhBwcTXdmMlVtKoy5MwJ/l1RGPcU+GJglkyTPU7A6+44t2gTJDtR5EByLi9u4RUI9orka6gaP1bq/GTS6WyVHR7boTYtIpWAnWhbVE7M8ZDfTbr7p6FxigdxoC7+Laqb3rSwXzl0nL+v0V3H1lrxM/IwUZtluHYG2HbY7czXAoE5/bImm4N7XtKouIPwUYWu8YgPHar/cxRIaVyVjEIy7UPcOIjpQykLw7uT0Apo8rKuWRmqNRLWTLRqTKO9rblHQHU+UVLcCQ2I9u7D408+CSQhpAXwaEQ/gTdA76hY9k/c+gExpagKbxH0lHRb8gGukYJwA9rMmzTlOyUrZawFTS4UF+vPPRc29N0CQMWY2qzml7JC0Vdz7tPU8Vl6nDBu4TFrMOi9ql6UpmdgRizSNFBkPlWZeMoL3Bn1nujlFJT/ni1kDjIaJwsOVqeuzpEqXDfocNwAgd68rG0Txa1POhj1gwdJcbIG9ODuT7KLQ/EiGyWCZf5dPLjO9xeFYvTsaAbEQ7ZztRdVwljQnWBFJV7iE3OlCzZKlosVY6A3U8ZDODmt57FJQgfDjoYVPM9e+ftFOFgFGKap8pbiQabzgfGyMIh+CvKt++VVwFCB8jFVfNIZFYVoTFQ+5cOHwQ4sPfrdEKG8xFqXXCW/NYpRm+QaJxJM1mm0VHqSO4IQoAURqnOhFeW0TFyqBWlLyO1OxxcjG2YKyEG5slYzfKMG1CQu1bkSxx6xaLVntJtL7rJazNDeihdfpGOjRKC/UXYNcAhlD9kTP0mOxE2foVwVFhH4+Xb7tgq78//9/lGpffNqyaEWKaH2i1ODF78136jwVnSXsd+pROUkYYjOCTlM7T2POZTykp/KNsGJy5PMrDzGi9z9yFHHTNr9rhD3N6b2j0d8iPSnjRFVRAviB5d6onSqB3mz/STObLDmeq9NCRYUIt3vs/I1+b21PT6LalmZNDQHQetWclSKrZyT9qUftAYVAIiNhNiDv/pB+zsl2jKf3AfHlPc8N1kiGORafna/FGMjQEUy8MrqMbBSnW2aaPjDPVHvN3Fj3gyLsFaQ36jj9R3GuA/Bo/DRCtL/e4w2kEJo8eD4FxuMC57xl/PkHfUs5BrE1LtTEw4utarw2PXvSMhc849uXULInhxLMpHBH5CxXQzzRuEL1wkMa7ktdvXFq+CsKAgPkqx5fZ+DTnQZj1XOLRx7PKxsXig7txXDk2QPzDCcO9uyfemlbt1AAZ+fSVTtoXd7vIqq+yIQhtKiHxNQKXSALY1m1HTAVnIGSvbd0dwXBU58xZ1WHAJq59ULAPrBn55t8p4w9aBkG6qTVlr026cVi2dSIx2alM9IyXTOIHFuL97O1J17oc4swdld91xBLAjTYIB9sBE9KDOGpNO1O+jUh9yvCvbZun1gAW9rxlPl9C8dHFVZSCVrnVxZtNicnKCK4X57Q8kapon2TjL6YekZTOXvarlNj7kultQh7U08IZ3Y5p2oTQYorJRnvpuGk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTpxRunYL7mpWvbfcTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4+Lw/2c2FetyGtpYbVrVBnXtpBGEEd8b9ycW4tq4M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFI3vfLM+ag1w4ZNnQTRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/3d14d11fb9b6f438

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Targets

- Target
  
  クラック.exe
- Size
  
  17.8MB
- MD5
  
  61bcb94052e57f07e8c662a80d8c29c1
- SHA1
  
  db9d2e9e37eddedc1722727e8ce5a0a242a9ff10
- SHA256
  
  3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6
- SHA512
  
  7f9f9c2c6cd5dd49baf6791808e5a31c9e4726d27f87aaad8e2df75ab2a0dbf20956d0bab8761a9e742d1fa85052f9f7f0ae8e6cf269a0761053786e547935a1
- SSDEEP
  
  49152:U6m1Vv6+nTCnjhT5iD1hTIUGzVnDk7Q3xCDza91PU3i/hv/kklWHvv7vTRZOp6/u:Um
Score

10^/10

asyncrat dcrat remcos stormkitty xloader august crypter toolz grace stub default eido defense_evasion discovery evasion execution infostealer loader ransomware rat stealer upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- System Binary Proxy Execution: Verclsid
  Adversaries may abuse Verclsid to proxy execution of malicious code.
  defense_evasion
behavioral1