asyncrat

Target

クラック.zip
Size

13.4MB
Sample

240909-1ltfeatend
MD5

6c5fc1a3ba386a83c87700f54d62a96f
SHA1

a05f08de3e4f218ad2567a2695d0ca500fb48ecf
SHA256

67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03
SHA512

0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098
SSDEEP

393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

чучундра

hakim32.ddns.net:2000

safety-bronze.gl.at.ply.gg:4444

Mutex

27b92504703b09d3ee2dae0873e8e3f3

Attributes

reg_key
27b92504703b09d3ee2dae0873e8e3f3
splitter
|'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\CDHWYSOV-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .CDHWYSOV The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/96209d228f54c75f | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFL6Oi6kvjgyXEAhPFxBUhDKfhhwPINrBs0qIkTxGZ8DIfkGfsM6tkX3zjDpxDtkoJrcU6XafyHLzhQD6ngBMfx0qv84BVjujgNS7UzGHGdf4u7nyPA3ofFqAWDTJii1UPthp/qgWUvZpn2dRn/7/B6/zDn8NHA+Dix+OnEr4W6K/0ZgvI+yFWE/ah8Wk4jZd4xxrlivV08pj7WEzzbq4TZjsNUugcMn+TDi9nymLRL1fLQhWKMrM5vc51FN1y3cwoe7hUNoaAVeAcXnKbOtdWCkWUPDXw8RHlQw6N435RWHj4kk/MlMLo9igCHTfzPQ8eGsE4i9Uo83bV1dQFfbqy1ahhVkp3Ky10jzjLgcCdSVAnIF7A6TLvZXmbUrVrAAiLKtfUt7gHqki+Ffpke/sFgkNIwH7uvPmeBK/bdi44Gnp3OWbcz2RNf4KGQeB21uimcSdUhGlpNNVlw2fpVxF9t36z6FwS24zSqyh3ErgKSBmnlaK7ouYhcX3r12C2cjJ6Orzrrwn7FclPB/Tusqzb39zSUyYRMEKMSqD2LegUWSgNgcpD7oPoQHWUOxum4842oQ+Tue8DDiMwNtZGm/UTc1iVhMD4e/dgkjcYvTp5t5TC38iqHIqRTqHmLDus+su9GFbNghYMggDAxvyqztdh91DM0b8zSgUd1mwLqhCuVr/qxeD0XZYY025xTX+2XY0Y2A7swt6IngoOnYojQGB8BuTW9dDG/HYUUrlh4AmuLhJOOrMT3A/tXJhq79KFF8PbfBFmJ+eE/I9Hr6JVW1a3Zdp9D+LAwjeYCUfGWdwPXMbjWI0rUuIqRryVr4v4GdN0vHvwcVQXzrKmP1QtArwRJL3YxaESuliTvomnFf4BrkkpnOOlorRXyhV4CEL1eH0v+Ced1ih5sg4m6bFGAYVWV2AmLYeVR7qqXZ6ijWBjFvloR+fTbpURdS8SPtuuMiuxxti/enNCoMsPJ1k9k3Jr7YIPCXs8PaKTUY/PM2eePfuI2GTwN7RZ0cyu0c2OPjZT+DKp6sxtAzzgz2OpwMKNyAGNrs+BtBV8pvlK6Iz+3FdJgMo13dNLFRCcLTpbhucn5hhy2rIusrgz3CQdwh/LAICUSuEmvvmWv+wWbM2JaLcbCuil9n1HNXgMloN9hUuSNXezXckHC5AaOyT9faVDoB/QNfv1IsJ39z0vIvu/9db924vdyyr2GAyL965lmKhnda2jQu455QOhqNvtbfzarTc/Lym4cJidhwdFJjYkM7JvchjF8bAVL9W8pheRoTeWqTmyAHCh5w/3UlOoobMqsoiuak1eeMo9eoweimijBSPoOUZ5pxRtSBUeao8+YuRGG8fF3JBo5jkm2PIRPHXZF5ydR89QSh/woekEb5uddSrvwCD3uE3YiDE7hmrPkivm2pcI5iws8ycULEW8woiUlulZUMLgMSf75eI26um4uW3c69skVjdqcsT4VDuuSqh7h3vPfQEUhjr+AJM+eRej6bMTB9tStvqWz0Qak8ni3uPWmZf6TSYzmHoXphmciiSZTvCoGMj2eg7AnJrhgIc8iALVpAzwYG3gxTScQKRHqdpqjElyPWs8DWhdmWmBGaL/JKUTK5GcTUDZ3sCImrtY6I8ytoxAvwWBmTFUuvz35rKB1Qo/Tqhk2VWgLfYnofs/Ye9cfrPZt+DMmXJpeW43g308YZ4A8TNktzB5CW3N/H0IzQTtt2m3lxpgvJ1c/c7OLKL3q0FqrQihhQN4iR9E1YxFh2h6k6/teTpGx0pbdem5JQ0I6XNR4+Y3ne2yTYsJ9Me6RUSJ8QOhxC5Hh7HV5zPEZCiYR2uHO9GGNJornMP8PysHZQ15ZiAt/myRX3pNgA7P4DTdg9pHVwiwUmJXdhL/5U44Nj0W8xuaOMo6iC9f8gp08NWYjV+chBO6VUBuRP4x/+WKPaMP0a7vFurF0Xo6+/fDOI6sfKpXJ+WuE8ROHK3XUQma6r6/K/0Kic8xS5vKORRWhZ0Jmac3G0lB0p6lsRw7DJGVEXovNpOtDhpTBq61zIzqXvOey33RVLxjcRgH+FRDJ725IQbsjN6IkRQKzqxNoR1ffa4uGzuQBHH3HKsPGJS+jdCotutsiAlbRuDflE20PVnHQhlj0HLLTt08zy144Jg7oBqeZkIeTYZYYfON5iuOWvEYcxlyEXUvT+u3syEoAPCpq+9PydnifHGqiqNbUMYXjZHozNu1E5O69NdL656ANgDSijdSIi6RybsPI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfToFRunYP7ntWvLfSTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eKi/2Q2EesvGo9YblqBBi/t+xHTEd0b8icV4ty4bab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDhFN3vPLOeap1w4ZMnQURlWKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/96209d228f54c75f

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes

reg_key
a8c0d4cf5cfc2cc1149b5e071c2ab5df
splitter
|'|'|

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\EHMXB-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .EHMXB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/86cc2bc391691f28 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAD6GYwYTtlP9K6GEPIjjqMoznb6WM7TJAWo9JJYoj5D8ttI4wJ6VVMxcSYYs2H96y+Rlp2VDbe6KnzKjLUIUv3hS//Xx3BcTFY/YxD6sXH6VswVcofxrs5WSL4hh9DMfMRtXTdY0APUt9Untlwik3+l/bbymWF54GRgkvgmZtSH/zN1dn4GWqC4EKZGBxmW9Tj00b//y830RTfeofsNDIuP88HmiFM+veJrOaQJE/kgLUDMt0wKSt7uA7H4kWrRiwKB7SdzRpc8+J/QOIjimGi1Se/Qs/NobMG1S8ZcmsmXWMAmeQB0cVQPbhCKLv7Dh/QmRMJptUIsnLBaaAld1rFKFyvBz6dpKUzDrmbEslMyVpjtDWjbGV5oarkADcDIqX/xQybTme5y6iVZN/yyKhLFSmg0cmvGxEgXtAHJxpyLoLnOjMZQ79sFzy0QJ8xyXuZbBteUda+q9sQeEySedgMfsjRkfJ+l/dwo2e/zkB9mIGuqHrxLhQvOREdbPwKACMsTFUF3zZpy+vtwOepvH5yAIHpBbJ+HABcIVKWfYSosI2EBZMcGt6kWPtY29sbCjDveszmyZ8hyiEw7c+QFS/UXmxoggqbCd6652VsroZSD5t0UwGPD+Mph3/Wtlx9gz6vzcF2ufW3uoI58tE4rcSJ5IGW3Sj+0Bu9ecm0od988dGFNfdtZbRCyM6AzMCc9lj7n7o76w8vcEkU2PYdgC27qLOM812LVmcxf05lDdT7oHsQxz4clQazgwtSSIWENAZSUg244DCtgJ5uptXVAmPWZXT/qYU8KBnvo4T6P2Kff/vorARJgN63L+XEtQx/9TXpKgK/2HEoRI5OvSLU1Vo8RRwkzKFQ5c31UyoUcKtqPMZlY7riLTioorxjFSkFSyjTzywdh9H4rxzn/leqW9cYrob3+1SYCXyKbd/codrvMWxSXpjb/z+GwhWA77oyuVt2nRLp6gNvPNLrf7r1EFtnp/qkn6fZXodzV7cq2KASt0yS0oy+kGAYT6iL+gJO1NNIC96Dg2GOVKy7TLaN3ES1DhYBpMwFYjFwPGNzthXfQQRngAappuNsLnd21849PybVoVfSW4UVg4JuCEIo7t9bNmkWmjWb/i9vs2ODX4HB5By45FOH5qpuI6xMZSVyJJSWm4KMDCeQxOWIHylsz98D3GYm7pPvAAu7PoaTWLj4hJeuQIo2dKUvw6U0syu5aRE6cS0vIbW9k75GsxCht6N2gvkjW/iFRQFGhAToXQPGcGLR72pmiBGiKZdipsCtPQinOSYiHc5ac1fXriXBt4MGcemcxP6CKvTStZmYJQnenjHTvGcRXiG8BeDG2zRdcsh2lUYggQ+IadDuszdew0Oa6+Q8RMB6wFYiyHZgFFvyoZnzXLnEzwLHSTmdDLPPutUy2irjFsKc1og+ZXsDxoClIB3B9LNXlMli3GXTXlW7QUMCBfFpvkVNPcNejA7FYrttgNZsGFNU2RabmcjwsKIJREnrEDCHsrcfTxOXzq4Gxct/lkgz+ZE1qdPmgjDzFsxxpW3f2ojS4+6GO+G83U+p4tIyRp/EEBO5KZP+7+Hb4NprdUObZQw0KMD8rbvGSipqg3ypGwID4Hwsr32mm7Qy7CRd3g4ZNtaSGIiPEoshsnKmtlCWsVXk43HYShAX/vreJOh/K3iXKl6T9AIzXl/RF2MbiAKKG2Bsek+9UjxjAHHufrnMmvoqDLpVS8/dYFfjkiUkfIpTe7TBQxIbEjgmXh9GN0HXYUEOsqypwHNecpyVagxWv7XLb9FZ0g8XpLuiKTcHqg/COLWqgvp5iZWlBoGoqmYQGogC9nvVeu9CcBpGHTmyLAnDnZt+tias99CP+x7NZZKFzbsY6KgGJ+f51VFJsY5wQsmP/9xtS/4MD8UDAT3PZ3RbyvfsRz7LQ/qlAdHSH/FwAyfTOVCgPjAqBuLZ95k9HmaCx/IGcgefahBwPNBMm+UFhhe67d9FLQDdvtA3cDPpvwl+Vn8tFufsFb0KEL9QAk9/MG/Sjx0xVS0W3RbJs9YTRdtEHe1vwKo1yoARg9tut4EmIyP8mGlG49u+mPE3RAdsVDI1MAvQbIJUH2qtw7ugJ4ZvESIRlzaRy3skl5YgAQp8rZEau7S5r5wvRQbmMz8Wl8n08Fg0RKjqVlC0MDVPOIM5y24gZn/VbhEw/CRfwPAEIA9ykmDItckcmtWwYk+600N9MCvQ2JOxg/LmrQMjzUE40Qy6p8gvmR8JQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZcTo1Rp3Yd7n5WrbfYTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKi/zU2QuskGolYP1qABi7trBHQEdAboCdE4tu4M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFI3v3LNOah1wQZMXQXRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/86cc2bc391691f28

Targets

- Target
  
  クラック.zip
- Size
  
  13.4MB
- MD5
  
  6c5fc1a3ba386a83c87700f54d62a96f
- SHA1
  
  a05f08de3e4f218ad2567a2695d0ca500fb48ecf
- SHA256
  
  67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03
- SHA512
  
  0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098
- SSDEEP
  
  393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8
Score

10^/10

asyncrat dcrat njrat remcos stormkitty august crypter toolz grace stub default чучундра discovery evasion execution infostealer ransomware rat stealer trojan upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1
- Target
  
  クラック.exe
- Size
  
  17.8MB
- MD5
  
  61bcb94052e57f07e8c662a80d8c29c1
- SHA1
  
  db9d2e9e37eddedc1722727e8ce5a0a242a9ff10
- SHA256
  
  3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6
- SHA512
  
  7f9f9c2c6cd5dd49baf6791808e5a31c9e4726d27f87aaad8e2df75ab2a0dbf20956d0bab8761a9e742d1fa85052f9f7f0ae8e6cf269a0761053786e547935a1
- SSDEEP
  
  49152:U6m1Vv6+nTCnjhT5iD1hTIUGzVnDk7Q3xCDza91PU3i/hv/kklWHvv7vTRZOp6/u:Um
Score

10^/10

asyncrat dcrat njrat remcos stormkitty august crypter toolz grace stub default kosomk 555 discovery evasion execution infostealer ransomware rat stealer trojan upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral2