asyncrat | 0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64 | Triage

Sharing

General

Target

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.unknown
Size

6KB
Sample

240919-gvqlbsvbqq
MD5

26b251a59dc03f6ce1503678d0dddfd2
SHA1

cfa1814660079da10073d0e78d3277f83c40d3fc
SHA256

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64
SHA512

d68634da8b45ca9457364ac6e67e79f6fa689e08ddc4fae443c08f8af563728fff25128bae6f49348ce2c4d4aab78727248bdace6e5f1e994d7f8dfba44808c0
SSDEEP

96:ur2TPTPXoPlhotyH9/qLr2TPTPXoPlhotyH9/qo:u6csYH9/qL6csYH9/qo

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/89imXRj4

aes.plain

Targets

- Target
  
  0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.unknown
- Size
  
  6KB
- MD5
  
  26b251a59dc03f6ce1503678d0dddfd2
- SHA1
  
  cfa1814660079da10073d0e78d3277f83c40d3fc
- SHA256
  
  0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64
- SHA512
  
  d68634da8b45ca9457364ac6e67e79f6fa689e08ddc4fae443c08f8af563728fff25128bae6f49348ce2c4d4aab78727248bdace6e5f1e994d7f8dfba44808c0
- SSDEEP
  
  96:ur2TPTPXoPlhotyH9/qLr2TPTPXoPlhotyH9/qo:u6csYH9/qL6csYH9/qo
Score

10^/10

execution asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultdiscoveryexecutionrat