asyncrat | 27b7242c6898f3122d53add479d1568240a6d8e26aa4b312820e6dd0a2581ee0 | Triage

Sharing

General

Target

74878666958ecc6556b360afb6aa0ac0.zip
Size

15KB
Sample

241031-yq2aps1nct
MD5

74878666958ecc6556b360afb6aa0ac0
SHA1

a9b40d2f241ad6830f0204457cc61ad874495f41
SHA256

27b7242c6898f3122d53add479d1568240a6d8e26aa4b312820e6dd0a2581ee0
SHA512

b52c65a8c069325a1a5f711fcc52b1fd027377c43c1d42cac03775747d44679d476dd96fdf7c6a223adf45e35537c1c035847f8f4af13fc210fae9ab90b0e793
SSDEEP

384:+tZN171jBinjWmM1vo5g9NvPy+5iKeohS6Q/OQ:+LNrjBijDgvb9NHxiKeohS6k

Score

10^/10

asyncrat default defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/J6uRjZrv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

trabajo25.duckdns.org:4000

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  LEER NOTIFICACION N-00474706 FISCALIA GENERAL DE LA NACION.vbs
- Size
  
  28.3MB
- MD5
  
  5f0d3141a31581c672a26ed55daf951e
- SHA1
  
  7aa56e653b5305c077a9c71e357c550dc79dd4f4
- SHA256
  
  d9ea362e4c21df8703a0904c36caf3d92969bda9566ae4d6885471e385aa8514
- SHA512
  
  a548f1224bd27ef4f89f0e35dc2053aa63351efce6e5547d1294a62b4e5b7716ee510785f606ed6cc6bbd92c71594644cfe22270fda0c0b6444b9ddd82186949
- SSDEEP
  
  768:P++++++++++++++++++e++++++++++++++++++J++++++++++++++++++e+++++Z:UZkcpv+bcoI
Score

10^/10

defense_evasion discovery execution asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncratdefaultdefense_evasiondiscoveryexecutionrat