asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

Rebel.7z
Size

8.1MB
Sample

241015-n9kf7atamb
MD5

4a8429dd823216bda95f67f85483a8d9
SHA1

77640784d85848c945820d37794839f346f138d2
SHA256

cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de
SHA512

1d4d41cee280c62657b17c2ddc11fc7ce6bab42204d94fe05eed263d139765c19dfd16f2fde4b4e5e8b925c39945c3208600a2bfad941e4723d3bfeb7c30b91a
SSDEEP

196608:15bVwZ4n4D4PLSFpJah2Hc4sEYcGijKseRAKvpZheSaE:155EAWpSt/DcFjqRAKvnhpd

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Rebel.7z
- Size
  
  8.1MB
- MD5
  
  4a8429dd823216bda95f67f85483a8d9
- SHA1
  
  77640784d85848c945820d37794839f346f138d2
- SHA256
  
  cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de
- SHA512
  
  1d4d41cee280c62657b17c2ddc11fc7ce6bab42204d94fe05eed263d139765c19dfd16f2fde4b4e5e8b925c39945c3208600a2bfad941e4723d3bfeb7c30b91a
- SSDEEP
  
  196608:15bVwZ4n4D4PLSFpJah2Hc4sEYcGijKseRAKvpZheSaE:155EAWpSt/DcFjqRAKvnhpd
Score

10^/10

asyncrat stormkitty default discovery rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Rebel/Bin/Injector.exe
- Size
  
  4.8MB
- MD5
  
  8da7ffaee1e5988d56e536d37a5e5d7d
- SHA1
  
  ed799e5ec866ec3dff0bffb306de4b1ab2ca2361
- SHA256
  
  7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485
- SHA512
  
  34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16
- SSDEEP
  
  98304:2sscM3M0egRUUYdiVF0Zx5NMEuRdvwp1cpY1t83Szkkak0jIiGELfHNz:Vrf0egyUKiVF0rF+dmcQtQSzkkakuR7V
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Rebel/Bin/Rebel.dll
- Size
  
  8.6MB
- MD5
  
  660d2429fc5f088bd197fb0958303936
- SHA1
  
  4189d1ba115f9e00caceb286f22655c6988e1eb6
- SHA256
  
  c9b95b9204234edfab46912d21953e3a6985a6b7d50c4fd63372e3d5361c7f3d
- SHA512
  
  9875fff045460f77dfc21cecd1de326d67778efd12fe8f53fc09bacfec807a9309752ed4bbb23653060fbee9152dd7c9a9bfda3a0c13c0375a1db932a02a197d
- SSDEEP
  
  98304:kz+S5QwKbQLCsjIpdUqsQf3/sfRMyxl5dn5Sz29f49EzFgfVp+t:WrS2LXjIpyDS3/0aWfmC
Score

1^/10
behavioral5 behavioral6
- Target
  
  Rebel/FastColoredTextBox.dll
- Size
  
  323KB
- MD5
  
  8610f4d3cdc6cc50022feddced9fdaeb
- SHA1
  
  4b60b87fd696b02d7fce38325c7adfc9e806f650
- SHA256
  
  ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
- SHA512
  
  693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09
- SSDEEP
  
  6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO
Score

1^/10
behavioral7 behavioral8
- Target
  
  Rebel/FastColoredTextBox.xml
- Size
  
  132KB
- MD5
  
  70d49dec6a333f1d94fb1e77c663525c
- SHA1
  
  184b544e672f4c4cb9ed9cf010da568eed16623d
- SHA256
  
  f3f2e537065317b6ce66dac64042e925bbcea65f00561f9860b7172c9ca07027
- SHA512
  
  b78a3c4418a7c5014eb16e72f2113f00353e9e566942f7160067c826c47f1ec2752ae7ede796fc159fb9bae499d347f822401fbc4446e2556cbd680cd595c2e2
- SSDEEP
  
  1536:45SVw7sekyF7o//t3zEzacGE5xa5lIV1/P5:45Sm7sekyxo//xzEz3GlM
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Rebel/ReadMe.txt
- Size
  
  13B
- MD5
  
  1c6c20f0c324e98e38272f1245d24e11
- SHA1
  
  bbb5dc3a18a532529ec6fa88c86542288dd979f7
- SHA256
  
  4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d
- SHA512
  
  a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246
Score

1^/10
behavioral11 behavioral12
- Target
  
  Rebel/RebelCracked.exe
- Size
  
  344KB
- MD5
  
  a84fd0fc75b9c761e9b7923a08da41c7
- SHA1
  
  2597048612041cd7a8c95002c73e9c2818bb2097
- SHA256
  
  9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
- SHA512
  
  a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
- SSDEEP
  
  6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  Rebel/System.CodeDom.dll
- Size
  
  30KB
- MD5
  
  59c830ac0d99f8c906292de85f804b84
- SHA1
  
  68b6740e6ce97de8b1398f3a6e320940a0e16458
- SHA256
  
  e8c88b0448083663910587efeacb6a1977749fe3ffe83b263fc01f7b63d7dfd2
- SHA512
  
  4028fa6b68eb3a48bb9625e6755c8e3022283694bb603905af3db54c31bc2f7291aec11f7c42a033703f84c3ff265a19416eb8798058cc42ee3c14c633e9588f
- SSDEEP
  
  384:FuE8ujCiLMTPji3h8241EEqYC0iIcwBxehzsCtZ7U6r1fDMqyt5/WduWTTb2HRNq:FDBCi4TWaveEqYChzZpgRoj/iP9zgBV
Score

1^/10
behavioral15 behavioral16
- Target
  
  Rebel/System.CodeDom.xml
- Size
  
  366KB
- MD5
  
  91af6294c77371e6773c35cfa7edd068
- SHA1
  
  0c24bfafb91ab69a3a7a4bfbd15a9c346341c487
- SHA256
  
  92287105a0987fc6ea2404e799da13f2d57b228a1fa3039a6d0cded00d4344c5
- SHA512
  
  bdfb5c13ee54b88d029bae6a65f932bcf27b1d71a5c373325b2e7484d21d49745c2f3983da85d50aeb6e31febbf0bfcb3cbe46415bae15877c20d54522b65904
- SSDEEP
  
  1536:l2e3vRrYxV4Tm0/Y/LFC9YmXVT2Y3mBhuzRKqn/gCOIFnffP6Ks5ATTglg2PLaAR:lK+c9
Score

3^/10

discovery
behavioral17 behavioral18