asyncrat | ceb280af0cfd62587099b2401a9dbbdbc846ef32f378e5df36d43fb82f311823 | Triage

Submit
Reports

Overview

overview

Static

static

rylo.exe

windows10-1703-x64

rylo.exe

windows11-21h2-x64

Sharing

General

Target

rylo.exe
Size

63KB
Sample

241007-w93lrs1erj
MD5

aa7ac768a5e8b8f2a8735b5c67e2e6d2
SHA1

631350d0f71fe7bb6416ac6404431f9d0876e7c4
SHA256

ceb280af0cfd62587099b2401a9dbbdbc846ef32f378e5df36d43fb82f311823
SHA512

6e566829c379ebcbbc52c90d7bce91d7e4b377be561d74ffb483b225a088b3c9ab2944eca1f5f16a7b1f49651ec6e3073e65d0e1a02e24a26c3057f424464bf9
SSDEEP

768:/LvXPRKF4j7C78BIC8A+X+mazcBRL5JTk1+T4KSBGHmDbD/ph0oXgOeIlfSuodph:j/RKy7QxdSJYUbdh9gwIuodpqKmY7

Score

10^/10

asyncrat stealerium stormkitty default collection credential_access discovery execution persistence privilege_escalation ransomware rat spyware stealer

Static task

static1

rat default asyncrat

3 signatures

Behavioral task

behavioral1

Sample

rylo.exe

Resource

win10-20240404-en

asyncrat stealerium stormkitty default collection credential_access discovery execution persistence privilege_escalation ransomware rat spyware stealer

windows10-1703-x64

46 signatures

150 seconds

Behavioral task

behavioral2

Sample

rylo.exe

Resource

win11-20241007-en

asyncrat default credential_access discovery ransomware rat spyware stealer

windows11-21h2-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Attributes

delay
1
install
true
install_file
pasharylo.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/V5yhZyAU

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure that we have a decryptor and it works, you can decrypt one file for free. But this file should be of not valuable! Attention do not try to decrypt the times, they may break and we will not be able to decrypt it. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - test 5. In message please write your ID and wait your answer. Your ID is [81AA72A4FCFA4D1070D6] [[Encrypted Files]] C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat C:\Users\Admin\AppData\Local\Temp\oVcBLd9.png C:\Users\Admin\Desktop\README.txt

URLs

https://tox.chat/download.html

Targets

- Target
  
  rylo.exe
- Size
  
  63KB
- MD5
  
  aa7ac768a5e8b8f2a8735b5c67e2e6d2
- SHA1
  
  631350d0f71fe7bb6416ac6404431f9d0876e7c4
- SHA256
  
  ceb280af0cfd62587099b2401a9dbbdbc846ef32f378e5df36d43fb82f311823
- SHA512
  
  6e566829c379ebcbbc52c90d7bce91d7e4b377be561d74ffb483b225a088b3c9ab2944eca1f5f16a7b1f49651ec6e3073e65d0e1a02e24a26c3057f424464bf9
- SSDEEP
  
  768:/LvXPRKF4j7C78BIC8A+X+mazcBRL5JTk1+T4KSBGHmDbD/ph0oXgOeIlfSuodph:j/RKy7QxdSJYUbdh9gwIuodpqKmY7
Score

10^/10

asyncrat stealerium stormkitty default collection credential_access discovery execution persistence privilege_escalation ransomware rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Renames multiple (2968) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Active Setup

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

ratdefaultasyncrat

behavioral1

asyncratstealeriumstormkittydefaultcollectioncredential_accessdiscoveryexecutionpersistenceprivilege_escalationransomwareratspywarestealer

behavioral2

asyncratdefaultcredential_accessdiscoveryransomwareratspywarestealer

© 2018-2024

Terms | Privacy