asyncrat | 98d8090944121b40e9b4d17b9d24f3fb5598dfbcd1c56a16440c1407b2f57392 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2e66cb16e75f861a31f31dd404c8c5cf_JaffaCakes118
Size

991KB
Sample

241009-k14a6awfqg
MD5

2e66cb16e75f861a31f31dd404c8c5cf
SHA1

1e03a48da7f33c250f8a2aa867f101bf513e6ee1
SHA256

98d8090944121b40e9b4d17b9d24f3fb5598dfbcd1c56a16440c1407b2f57392
SHA512

e101cb6b4cac0bf660decdfc6633de670ca372b9049ceb37e21c7b1c2c6d0c7d8021b0b5a247d22b4e732235330d680047df182ba9d3e8dab709932f9e8d6128
SSDEEP

12288:Q0VLFvth+w7GodQpbelTc9skItUkItpzDkjD6I3StlQWHWwjvgx:Q0vv/Nv+kTc9HIsaKHW

Score

10^/10

asyncrat defense_evasion discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Mutex

Aakn1515knAakn1515kn!

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/uqaaCRiU

aes.plain

Targets

- Target
  
  2e66cb16e75f861a31f31dd404c8c5cf_JaffaCakes118
- Size
  
  991KB
- MD5
  
  2e66cb16e75f861a31f31dd404c8c5cf
- SHA1
  
  1e03a48da7f33c250f8a2aa867f101bf513e6ee1
- SHA256
  
  98d8090944121b40e9b4d17b9d24f3fb5598dfbcd1c56a16440c1407b2f57392
- SHA512
  
  e101cb6b4cac0bf660decdfc6633de670ca372b9049ceb37e21c7b1c2c6d0c7d8021b0b5a247d22b4e732235330d680047df182ba9d3e8dab709932f9e8d6128
- SSDEEP
  
  12288:Q0VLFvth+w7GodQpbelTc9skItUkItpzDkjD6I3StlQWHWwjvgx:Q0vv/Nv+kTc9HIsaKHW
Score

10^/10

asyncrat defense_evasion discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Modifies WinLogon for persistence
  persistence
- System Binary Proxy Execution: Regsvcs/Regasm
  Abuse Regasm to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

System Binary Proxy Execution

Regsvcs/Regasm

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefense_evasiondiscoverypersistencerat

behavioral2

asyncratdefense_evasiondiscoverypersistencerat