asyncrat

Resubmissions

28-10-2024 00:19

241028-al8bfswbrc 3

27-10-2024 06:22

241027-g46znsslhr 1

26-10-2024 10:54

241026-mzm9natclb 3

25-10-2024 21:14

241025-z3q6yavdmb 10

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00436.7z
Size

70.2MB
Sample

241025-z3q6yavdmb
MD5

5203ef0108208cd0f82278c15b5ef62d
SHA1

caf7e1b519073e78d82ab479cef4eda3dfb2081e
SHA256

54efded0c82f76a168ee6aa0fbf96f54693eb1d1c1b12c6a733ceb24d40c497e
SHA512

83f416c07c49f587d7a57dbefe3a65a7169e022085c6938c93a8ab0c53b00cb54c22a404156aa8d93b7173a79039f6d59a9cf6adc16cec65d4d1a92827d805fa
SSDEEP

1572864:LYLhPSFGAnRCNq06snfEMDuuqTXzUiaYlOiqn3TdvGcICnYP:sLlSFbnUfxKuqbQiaYlT+3pvf5y

Malware Config

Extracted

Family

crimsonrat

151.106.14.125

212.200.120.154

Extracted

Family

njrat

Version

0.7d

Botnet

H-Face

aqq.linkpc.net:999

Mutex

b707d48a130b129126b45cd0625853bc

Attributes

reg_key
b707d48a130b129126b45cd0625853bc
splitter
|'|'|

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
type
main

rsa_pubkey.plain

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\305E39-Readme.txt

Ransom Note

Hi! Your files are encrypted. All files for this computer has extension: .305e39 Your filenames can be changed too, except extensions for free decrypt. -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. -- For us this is just business and to prove to you our seriousness, we will decrypt you few files for free. Just open our website, upload the encrypted files and get the decrypted files for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- *** IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. -- WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_305e39: YpFSk5HyQh2OJSEQ/e+lA9ccKgWtgDDEE7dNfb3HYfcngBV9jb BXt84fuQ7m/mzP9+XUjRqkhkRVlz+Q0aBpDQH4WPAfYmZet/DL dL05XjBIFPm/vy9fZYriKfjR/uACmriHqyfRZJdhUTuDEZMZjV QXPs1vZluQb3kimL778/cjH42uCgIs25xCvBLipV6DIGa/c1Of CjrkhYTe/TpuuMLiNofZ9oBBZvlwD7yOTj+2PsDco8TXOtnunr C+crRpHvcL12xLA8QwbeioY2uUa9NqUbDpSlz+YQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

revros.ddns.net:6606

revros.ddns.net:7707

revros.ddns.net:8808

Mutex

Microsoft_Azure

Attributes

delay
3
install
true
install_file
Update.exe
install_folder
%Temp%

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\00436\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Path

C:\Recovery\s4keqdh4fb-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension s4keqdh4fb. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6E35E64715104E13 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/6E35E64715104E13 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: EaFk/8wugZaWXio8loVuT9upAtpXHPhXQVmnCynH/hv7SYIGY3D4OHDJ3D7fMLFe fhZv7H87c85MEJz2wc/kAuMXcZShbvHpd0Vp/VEMTk8OBDxccftEVQ0qeogmMmP0 kT4rem5cadQn2vNTS15QOGdkmErzXIsmXhLjDhlZqFiU4IEEXhLZfzhFCV68LHsl u7mnkWndhgYRZZSH1KjmAnjQBydc8b7fZbGi+SSWLMjGF2MhADS93fK7LSfCT6Vm h15d+xw7strCSxwAsHps01NuIkpQL0MNy6PC2HO2TBsLriiIvVeVNkgFxa+BQkR9 jgpsFthIuEIKiaJhAo9o1qZNJvhVxSH0utxqiQmuktp+Ub6tmJxkCZW2aYFjVgWp 5ZhCvneLIlNrTCcD5XI8u2yDKZQbxVVT6yDS11bZRJuVovlZ+wsL8bT+kPoi0Uqz eYqNn453gRa0bBrGO2ixJZ2MtxoMn1Dy9dU4V5KOTzSJud8Bch0rhppkvvJyMXup Cw34FND+haS/4hx8ui3kYkhjVsM8VaIn5ks5/tbYu1Z7UpJ1QMltkXRKUNF2W/nH 69WgwTMnMjhIdgCod50HdreivCKMai8Wswhpdpj1Bs6iJUYEuDEf3Ga+dkgGKkrM OGiAl8IQaSwE8/QvnI1CeEM1OYdeichcgx7boh9gYnyW8D7EEqxMwxhqbvp47yJs HFNt2xVPUT8/I4cBr5f1+TZgFr+DpwCyrEoVQrxhBHcTyjd97x86FjJ+t1RSafnk jqMtqL04ecFxTr+s+NV8Jxp5QvB4PEh9Un9S5OHW5N7PvykbbJJnklbnOttLhLYQ aSFehUHmdnsWHoP+5yIbCWE15Dh6Jr240khc579iBEczJjHKX4lfDz1uabzl1P6e po8LiB+5TxGs0Wq+aTB9Px0q2TKFtkcOp3j3sSirMBtMS/I+F7ztfvJNwfL9vDov yxwX11VJzxUDRM17jD1BnY/emaN3uDmx/vd9caWd5EfEsLQkeywrFpIZEbBvlfpq 8HvKTOvfTzwQWyt7khPDTfSdrcknaVhhILpOA6MfwH2nLgU9NkyiuyZrffixv2wj RLWq78t7ytoF8aK5kxglgU3YPQyPwjzGz16+eG2qCgBlo4XLfehBdRZlm+jH2kdn dvr0z1FZwOLsVGmJZH5QdoVzc6v0wBJULlr6jJqk9qyh6dfs9zCSBlAYt/Ie8SdC YPcBox4yGyiK+wxgd7QPjd6h5OyBYloWGiw0xSqk5UWXPNxgeOF7y3VW6MsN4Wx/ 4+XWdOy5Bj4Q3mNlZPYtVhKsy8GW65q0ZeCyfMcopiqElt5Q38HSMb10m7Qy13yq AI35KnrqMlGGC3vhMnUrX71xUvoou7a85cc+oBb4b36g4r8h ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6E35E64715104E13

http://decoder.re/6E35E64715104E13

Extracted

Path

C:\Users\Admin\README.1d46f1f8.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Extracted

Family

latentbot

foxmyfox132.zapto.org

Targets

- Target
  
  RNSM00436.7z
- Size
  
  70.2MB
- MD5
  
  5203ef0108208cd0f82278c15b5ef62d
- SHA1
  
  caf7e1b519073e78d82ab479cef4eda3dfb2081e
- SHA256
  
  54efded0c82f76a168ee6aa0fbf96f54693eb1d1c1b12c6a733ceb24d40c497e
- SHA512
  
  83f416c07c49f587d7a57dbefe3a65a7169e022085c6938c93a8ab0c53b00cb54c22a404156aa8d93b7173a79039f6d59a9cf6adc16cec65d4d1a92827d805fa
- SSDEEP
  
  1572864:LYLhPSFGAnRCNq06snfEMDuuqTXzUiaYlOiqn3TdvGcICnYP:sLlSFbnUfxKuqbQiaYlT+3pvf5y
Score

10^/10

asyncrat crimsonrat danabot darkside gandcrab latentbot mafiaware666 njrat sodinokibi urelas vanillarat wannacry 3 default h-face backdoor banker defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware rat spyware stealer trojan upx vmprotect worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Darkside family
  darkside
- Detect MafiaWare666 ransomware
- Disables service(s)
  evasion execution
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Mafiaware666 family
  mafiaware666
- Modifies firewall policy service
  evasion
- Njrat family
  njrat
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Sodinokibi family
  sodinokibi
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Urelas family
  urelas
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Vanillarat family
  vanillarat
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (153) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Vanilla Rat payload
  rat
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1