asyncrat

General

Target

RNSM00391.7z
Size

6.1MB
Sample

241101-22ykqsvle1
MD5

8f04796eea62aca1a7dc0e43262fc523
SHA1

9ca40256af4e4029f17724064afb1feed92f34b0
SHA256

e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a
SHA512

a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec
SSDEEP

196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SEPT G11

C2

chongmei33.publicvm.com:49746

chongmei33.publicvm.com:2703

185.165.153.116:49746

185.165.153.116:2703

54.37.36.116:49746

54.37.36.116:2703

185.244.30.92:49746

185.244.30.92:2703

dongreg202020.duckdns.org:49746

dongreg202020.duckdns.org:2703

178.33.222.241:49746

178.33.222.241:2703

rahim321.duckdns.org:49746

rahim321.duckdns.org:2703

79.134.225.92:49746

79.134.225.92:2703

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  RNSM00391.7z
- Size
  
  6.1MB
- MD5
  
  8f04796eea62aca1a7dc0e43262fc523
- SHA1
  
  9ca40256af4e4029f17724064afb1feed92f34b0
- SHA256
  
  e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a
- SHA512
  
  a8c35efa3e0f4fbd8369cb39c013a312d9cb153f2efbc04b3a789dbe874af0dc0a0427ef83c804a6a51f03e16aca8bbcc9fbced8c3273e05e5b2e8751ae8b8ec
- SSDEEP
  
  196608:RjmLAqn+1/rnxINzohV3TuAzCS+Ulb39yQH0D5Ac2:gcO+Z8zohV3iKnVIS0D5W
Score

10^/10

asyncrat gandcrab hiverat warzonerat sept g11 backdoor collection credential_access discovery infostealer persistence ransomware rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- HiveRAT
  HiveRAT is an improved version of FirebirdRAT with various capabilities.
  rat stealer hiverat
- Hiverat family
  hiverat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- HiveRAT payload
- Renames multiple (3798) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1