asyncrat

Resubmissions

13-10-2024 18:13

241013-wt8svavdqp 1

11-10-2024 11:24

241011-nhwedavcnq 10

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00459.7z
Size

126.6MB
Sample

241011-nhwedavcnq
MD5

d32547cac8d53badfce92595bf5429ab
SHA1

b49d003b7ca12891896c12c9af5a9234ab4e25c5
SHA256

ec65f2773a40d9d8b1551818e7d41044ad8fae1b6a7cc4861ff9d541d27c2c68
SHA512

4bd12da84599e7d26103a2994df7d5d12b6855e66bba97832da59d7a04e8320c6687c07071437a4d6b25877be4a3a075b2a5dc8eeb59e3578889850d38cc2767
SSDEEP

3145728:+ri4HHjY3N/F8fWqd8N2zdoetwXT0NUWNrZ67R2JWm5t:qi4clF8fACtwXoNUe6l2J7t

Malware Config

Extracted

Path

C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Dear Management of BRON TAPES! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 1250 GB of your and your customers data, including: Confidentional documents Copy of some mailboxes Accounting SQL Servers Databases Databases backups Marketing data We understand that if this information gets to your clients or to media directly, it will cause reputational and financial damage to your business, which we wouldn't want, therefore, for our part, we guarantee that information about what happened will not get into the media (but we cannot guarantee this if you decide to turn to third-party companies for help or ignore this message). Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: [email protected] Additional ways to communicate in tox chat https://tox.chat/ contact our tox id: 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418

Emails

[email protected]

URLs

https://tox.chat/

Extracted

Family

redline

Botnet

PUB

185.215.113.45:41009

Extracted

Family

djvu

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.nooa
offline_id
PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1
payload_url
http://securebiz.org/dl/build2.exe

http://astdg.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CnI3tI6Ktv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0322gDrgo

rsa_pubkey.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

66.154.122.230:1337

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows Logon.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MeowPC

74.81.52.179:2610

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

rlawlsl154.codns.com:443

Mutex

a695e871b7f2f081334e678e67df6a28

Attributes

reg_key
a695e871b7f2f081334e678e67df6a28
splitter
|'|'|

Extracted

Path

C:\Program Files\Common Files\DESIGNER\!! READ ME !!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] reserve [email protected] jabber [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. If we do not receive a message from you within three days, we regard this as a refusal to negotiate. Check our platform: http://cuba4mp6ximo2zlo.onion/ * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Do not stop process of encryption, because partial encryption cannot be decrypted.

Emails

[email protected]

URLs

http://cuba4mp6ximo2zlo.onion/

Targets

- Target
  
  RNSM00459.7z
- Size
  
  126.6MB
- MD5
  
  d32547cac8d53badfce92595bf5429ab
- SHA1
  
  b49d003b7ca12891896c12c9af5a9234ab4e25c5
- SHA256
  
  ec65f2773a40d9d8b1551818e7d41044ad8fae1b6a7cc4861ff9d541d27c2c68
- SHA512
  
  4bd12da84599e7d26103a2994df7d5d12b6855e66bba97832da59d7a04e8320c6687c07071437a4d6b25877be4a3a075b2a5dc8eeb59e3578889850d38cc2767
- SSDEEP
  
  3145728:+ri4HHjY3N/F8fWqd8N2zdoetwXT0NUWNrZ67R2JWm5t:qi4clF8fACtwXoNUe6l2J7t
Score

10^/10

asyncrat djvu elysiumstealer njrat raccoon redline sectoprat snatch 4 default meowpc pub defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller ransomware rat stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detected Djvu ransomware
- Detecting the common Go functions and variables names used by Snatch ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- ElysiumStealer
  ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
  stealer elysiumstealer
- ElysiumStealer Support DLL
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Snatch Ransomware
  Ransomware family generally distributed through RDP bruteforce attacks.
  ransomware snatch
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1