asyncrat | 0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712 | Triage

Sharing

General

Target

2c701b9904603479c8e01a692383e396_JaffaCakes118
Size

7.0MB
Sample

241009-g7flwssckb
MD5

2c701b9904603479c8e01a692383e396
SHA1

c9662c1ee3ed00ea0f70d12a6e5ecfa50d1d9c77
SHA256

0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
SHA512

60e2e350e44c5676f283842d2af354b55b559c46eb3e1c8236c2abf87654845f7a6727da1aea824395b0d102a643790fb9eed55f729085dfee595aab259cf650
SSDEEP

196608:WHPdZwCsXDjDyf4L2WliXYrHW1LzbpbWg:eP4CEDHL2ciIrHWRzbB

Score

10^/10

asyncrat njrat ase_2 discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ASE_2

Mutex

AsyncMutex_6SI8OkPnk

Attributes

c2_url_file
https://aa.larinax999.repl.co
delay
3
install
true
install_file
MsMpEng.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

ASE_2

C2

103.91.207.190:4985

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  2c701b9904603479c8e01a692383e396_JaffaCakes118
- Size
  
  7.0MB
- MD5
  
  2c701b9904603479c8e01a692383e396
- SHA1
  
  c9662c1ee3ed00ea0f70d12a6e5ecfa50d1d9c77
- SHA256
  
  0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
- SHA512
  
  60e2e350e44c5676f283842d2af354b55b559c46eb3e1c8236c2abf87654845f7a6727da1aea824395b0d102a643790fb9eed55f729085dfee595aab259cf650
- SSDEEP
  
  196608:WHPdZwCsXDjDyf4L2WliXYrHW1LzbpbWg:eP4CEDHL2ciIrHWRzbB
Score

10^/10

asyncrat njrat ase_2 discovery persistence pyinstaller rat trojan execution
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerasyncratnjrat

behavioral1

asyncratnjratase_2discoverypersistencepyinstallerrattrojan

behavioral2

asyncratnjratase_2discoveryexecutionpersistencepyinstallerrattrojan