asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00454.7z
Size

84.9MB
Sample

241012-vy7wnswgjq
MD5

391bfe45681ded9a5a7e7e6063727629
SHA1

120937367da31f9558cba1dfe7b8aea5b6575da2
SHA256

f3b6d60a35a32fdd5258c1e11edc9ce65df5e892a33481dcc6c726600b2110ee
SHA512

0516ccd2112ec0c160b05eeb4908be69de658d251d88eeab2b4cd753a65df5281c2e2d82ac849d17abff846081d599d6da862e4304467f536cb2133d67448da8
SSDEEP

1572864:LmS6K58FcJehSSkvcD//V3XqtTCkBHkiDLkyrk38ezJ6uT5r1ZP5T5zSGj/b3hI:qSbxJUtzpQe8oMk376uTV1ZxTwmbO

Malware Config

Extracted

Family

crimsonrat

173.249.21.206

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

ant-ec.duckdns.org:2054

Mutex

2c1ed4d1ae

Attributes

reg_key
2c1ed4d1ae
splitter
@!#&^%$

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

0.tcp.ap.ngrok.io:10906

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

185.19.85.183:55001

185.19.85.183:55029

Mutex

vklkueujfvqaumi

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://ftp.ecurs.ro/
Port:
21
Username:
[email protected]
Password:
dGZ5eznXv76y

Extracted

Family

nullmixer

http://motiwa.xyz/

Extracted

Path

C:\Users\Admin\Pictures\_README.txt

Ransom Note

== ATTENTION == ============================================================================================== ALL YOUR DATA HAVE BEEN ENCRYPTED YOUR PERSONAL DATA LIKE (DOCUMENTS, DATA BASE, JPG, JPEG, DOC, ETC) HAVE BEEN ENCRYPTED! CHANGING THE EXTENSION'S NAME IS RIDICULOUS THING TO RESTORE YOUR DATA! PERSONAL CODE: judkpMEZ3cWE2MWt2dWtMa0hISUh3QkdTcHFib1pxbk05NUhKYUF5V1BrY2lLYz0=x ENCTRYPTION : .corona ============================================================================================== *What should I do? don't do anything like changing the extension name, it will make your file can't go back to normal *how do i restore my data? You have to buy a software with a unique code for $200 to BITCOIN address: 1E6qZkzbGZHh9hWF4dQcTUdbmsYkvBYPrR *I have already made a payment, what should I do next? You must send your proof of payment along with your personal code to email: [email protected] we will send you the software along with a unique code to restore your data to normal WARNING: "DO NOT MODIFY ANY OF THE ENCRYPTED FILES OR TRY OTHERWISE TO DECRYPT THEM YOURSELF YOU RISK DAMAGING THE FILES AND YOU WILL LOOSE YOUR FILES FOREVER!!" Contact us: email: [email protected]

Emails

[email protected]

Wallets

1E6qZkzbGZHh9hWF4dQcTUdbmsYkvBYPrR

Extracted

Path

C:\Users\Admin\Pictures\_README.txt

Ransom Note

== ATTENTION == ============================================================================================== ALL YOUR DATA HAVE BEEN ENCRYPTED YOUR PERSONAL DATA LIKE (DOCUMENTS, DATA BASE, JPG, JPEG, DOC, ETC) HAVE BEEN ENCRYPTED! CHANGING THE EXTENSION'S NAME IS RIDICULOUS THING TO RESTORE YOUR DATA! PERSONAL CODE: gypfdMEZ3cWE2MWt2dWtMa0hISUh3QkdTcHFib1pxbk05NUhKYUF5V1BrY2lLYz0=x ENCTRYPTION : .corona ============================================================================================== *What should I do? don't do anything like changing the extension name, it will make your file can't go back to normal *how do i restore my data? You have to buy a software with a unique code for $200 to BITCOIN address: 1E6qZkzbGZHh9hWF4dQcTUdbmsYkvBYPrR *I have already made a payment, what should I do next? You must send your proof of payment along with your personal code to email: [email protected] we will send you the software along with a unique code to restore your data to normal WARNING: "DO NOT MODIFY ANY OF THE ENCRYPTED FILES OR TRY OTHERWISE TO DECRYPT THEM YOURSELF YOU RISK DAMAGING THE FILES AND YOU WILL LOOSE YOUR FILES FOREVER!!" Contact us: email: [email protected]

Emails

[email protected]

Wallets

1E6qZkzbGZHh9hWF4dQcTUdbmsYkvBYPrR

Targets

- Target
  
  RNSM00454.7z
- Size
  
  84.9MB
- MD5
  
  391bfe45681ded9a5a7e7e6063727629
- SHA1
  
  120937367da31f9558cba1dfe7b8aea5b6575da2
- SHA256
  
  f3b6d60a35a32fdd5258c1e11edc9ce65df5e892a33481dcc6c726600b2110ee
- SHA512
  
  0516ccd2112ec0c160b05eeb4908be69de658d251d88eeab2b4cd753a65df5281c2e2d82ac849d17abff846081d599d6da862e4304467f536cb2133d67448da8
- SSDEEP
  
  1572864:LmS6K58FcJehSSkvcD//V3XqtTCkBHkiDLkyrk38ezJ6uT5r1ZP5T5zSGj/b3hI:qSbxJUtzpQe8oMk376uTV1ZxTwmbO
Score

10^/10

asyncrat crimsonrat gandcrab mafiaware666 njrat nullmixer orcus snakekeylogger default null nyan cat agilenet aspackv2 backdoor discovery dropper evasion execution keylogger pyinstaller ransomware rat spyware stealer trojan upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Detect MafiaWare666 ransomware
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Orcurs Rat Executable
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1