asyncrat

General

Target

Fello_s_Revenge.exe
Size

18.4MB
Sample

241008-z8jdaaxgnk
MD5

f8e1d9b436b1d95231ae33b44c6f165c
SHA1

bd4a588b9bbcd346fd0e4818da382ca241104d17
SHA256

23a6dc4cce379f0d6a85e0b2b09e66d0d0f370e9d610a84aa1810aab605a3976
SHA512

963f3ca6370d36d54d9034000e33198e9cfa8d54f7c70cf67e0e9be246a30bbd2db5f927c9dbb5edfebab3e255ece6023d3a2ed72715d1842519a9d2ff45a7f6
SSDEEP

393216:XpkQrjxkZI7X/exB5l7qqd6DqhDzeozX5dpYeewDuBnkeKyN:Xrr1kTz7qqAGdzpdFynkeKyN

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:51848

otherwise-puzzle.gl.at.ply.gg:51848

Mutex

qsSOINsibBjw

Attributes

delay
3
install
true
install_file
dwn.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/0GcVDftp

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7148398804:AAESLKl9fVODMrpM8H4Wkq1Zbm-83PcMLro/sendMessage?chat_id=2135869667

Targets

- Target
  
  Fello_s_Revenge.exe
- Size
  
  18.4MB
- MD5
  
  f8e1d9b436b1d95231ae33b44c6f165c
- SHA1
  
  bd4a588b9bbcd346fd0e4818da382ca241104d17
- SHA256
  
  23a6dc4cce379f0d6a85e0b2b09e66d0d0f370e9d610a84aa1810aab605a3976
- SHA512
  
  963f3ca6370d36d54d9034000e33198e9cfa8d54f7c70cf67e0e9be246a30bbd2db5f927c9dbb5edfebab3e255ece6023d3a2ed72715d1842519a9d2ff45a7f6
- SSDEEP
  
  393216:XpkQrjxkZI7X/exB5l7qqd6DqhDzeozX5dpYeewDuBnkeKyN:Xrr1kTz7qqAGdzpdFynkeKyN
Score

10^/10

asyncrat snakekeylogger xworm default bootkit cryptone defense_evasion discovery evasion execution keylogger packer persistence privilege_escalation rat stealer trojan upx
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Modifies firewall policy service
  evasion
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1