asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00469.7z
Size

92.5MB
Sample

241002-wh6jcasgma
MD5

d9cde79253e9c9f505bfd4e8d1f38895
SHA1

1b164434c51378c9c5e991b9f5d15b4051b8eb74
SHA256

d6e60bdbc528eef42fe9cee8573182c082fbe9ebe171e02583c6ac17cd70654c
SHA512

74ba4b9434fe16c49b1b0db0cd7ce635f80e55d30a2508ee810f2749c25864b7469b2068597cacd80eab8adbcc9e401fb0881909d33b38592d210b4cf2c5e7c0
SSDEEP

1572864:np46tVvgzRf5DFNmjzgVwbDe7PV0ra03alwike+nIUJI7DRAxql/:npHn+R5hNm3W57CraLK7ZJI7mUB

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-FILES.TXT

Ransom Note

Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) If you can't use tor in your country you can write to us on our temporary email address. [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe Our temporary e-mail address: [email protected]

Emails

[email protected]

URLs

http://mail2tor2zyjdctd.onion/

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Ransom Note

LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: 06086A327A199F1432F7EDC6B4EA63FC

URLs

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

https://bigblog.at

http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion

https://decoding.at

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- 0Y2bUdHGJV86rTP8Tu27AgfN91oYLnc2GES6JjNUJY6Wy4r1DIzS2E7P7QpX2VVe ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Extracted

Family

njrat

Version

im523

Botnet

gandigod.ddns.net:5554

rlawlsl154.codns.com:443

Mutex

217aaa3e47058dda7bd3f2dce8cd4382

Attributes

reg_key
217aaa3e47058dda7bd3f2dce8cd4382
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

eset-antivirus.ydns.eu:5498

Mutex

754b0562-5f0b-4af6-9aab-54f90541ccf5

Attributes

activate_away_mode
true
backup_connection_host
eset-antivirus.ydns.eu
backup_dns_server
eset-antivirus.ydns.eu
buffer_size
65535
build_time
2021-06-18T06:38:45.233225836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5498
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
754b0562-5f0b-4af6-9aab-54f90541ccf5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
eset-antivirus.ydns.eu
primary_dns_server
eset-antivirus.ydns.eu
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GTA

selldrugs.duckdns.org:4782

Mutex

frdsadgdgdhdsadassa

Attributes

delay
3
install
false
install_file
System.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  RNSM00469.7z
- Size
  
  92.5MB
- MD5
  
  d9cde79253e9c9f505bfd4e8d1f38895
- SHA1
  
  1b164434c51378c9c5e991b9f5d15b4051b8eb74
- SHA256
  
  d6e60bdbc528eef42fe9cee8573182c082fbe9ebe171e02583c6ac17cd70654c
- SHA512
  
  74ba4b9434fe16c49b1b0db0cd7ce635f80e55d30a2508ee810f2749c25864b7469b2068597cacd80eab8adbcc9e401fb0881909d33b38592d210b4cf2c5e7c0
- SSDEEP
  
  1572864:np46tVvgzRf5DFNmjzgVwbDe7PV0ra03alwike+nIUJI7DRAxql/:npHn+R5hNm3W57CraLK7ZJI7mUB
Score

10^/10

asyncrat conti maze nanocore njrat gta tg agilenet defense_evasion discovery evasion execution exploit impact keylogger persistence pyinstaller ransomware rat spyware stealer themida trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Maze
  Ransomware family also known as ChaCha.
  trojan ransomware maze
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Modifies Windows Firewall
  evasion
- Possible privilege escalation attempt
  exploit
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1