General

  • Target

    cool-obf.bat

  • Size

    20KB

  • Sample

    241026-byfmmsvqgy

  • MD5

    99525fe4bc3b8826a79437472b315528

  • SHA1

    6f4c3291b57e996bac223dda1b7b1bcfea8d4528

  • SHA256

    e0912478bf932332e047a18ba0431920547bbd7310b2b87eab25b78e03889ef3

  • SHA512

    6dca8ca280024c06b37c42d0f92b5d3b8cb7479fd527e9c5fc81efac8cd22c6adc6ac5dd2e5fdb8aeebff2634ea010ce9497c20dbf58addd382597855ac81887

  • SSDEEP

    384:UmN+vVczZIkT0EFDuWLhGzAzjpyHGGwWW9l:PQvVc1jT0EFDuWLhGsfpyHzw79l

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/venkovisual/Loli-Mod/refs/heads/main/AsyncClient.exe

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Default

C2

yyyson22.gleeze.com:4608

Mutex

dw

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      cool-obf.bat

    • Size

      20KB

    • MD5

      99525fe4bc3b8826a79437472b315528

    • SHA1

      6f4c3291b57e996bac223dda1b7b1bcfea8d4528

    • SHA256

      e0912478bf932332e047a18ba0431920547bbd7310b2b87eab25b78e03889ef3

    • SHA512

      6dca8ca280024c06b37c42d0f92b5d3b8cb7479fd527e9c5fc81efac8cd22c6adc6ac5dd2e5fdb8aeebff2634ea010ce9497c20dbf58addd382597855ac81887

    • SSDEEP

      384:UmN+vVczZIkT0EFDuWLhGzAzjpyHGGwWW9l:PQvVc1jT0EFDuWLhGsfpyHzw79l

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks