asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

DoomRatBuilder.zip
Size

13.0MB
Sample

241103-r19w9syrdr
MD5

3c276bca2ec2bd57e202054f656cf9f1
SHA1

286d6f2cfe420316d334dd6b3fe72ee722baad6f
SHA256

74cfc057cbfeb17b52c02abd1628a732f88509ae3bdcf43acd2621fc89e64bce
SHA512

1fafba85fcfe24433d0540c92fb3d8569b5fe70e9ef8d007bb0b34d793fe0cffe6b1b546fdbf46d0a085e3a7d2b91f3567128dff2494a24c1d895249d9d62d60
SSDEEP

393216:y2Ms95kubaxzRJ80LBRszNZ88u3RNu+xTmXleTi5:yhsPba5RDtRsRZ88ERPUXh

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
up-max.ru
Port:
21
Username:
vipgo118
Password:
GIWrYVC3

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

Extracted

Family

cobaltstrike

Botnet

http://39.106.152.236:11443/load

Attributes

access_type
512
beacon_type
2048
host
39.106.152.236,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
11443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx7NPIg4kgoGnsbOt1BZs0uWn63zH45yzOdUTDiX3mOdDzyAD8sDKDBl/oBmlk3v4bgM8NypUg467E3RvM5qLZhz9mY+lN79CLjAQCO/drohSZp8WyhooaC5pWDoCuMR/fgWgvNNuIdqfFHL+dlDmMM6yKd3w1QswKkbpNuZjV/wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENIN)
watermark
6

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

habbo

the-diego.no-ip.org:200

the-diego.no-ip.org:81

the-diego.no-ip.org:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

koiloader

http://195.54.160.202/gowan.php

Attributes

payload_url
https://www.luciaricciardi.com/wp-content/uploads/2018/12

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

127.0.0.1:5555

127.0.0.1:4816

127.0.0.1:5432

127.0.0.1:46510

sb7fmp5.localto.net:4816:8848

sb7fmp5.localto.net:4816:5555

sb7fmp5.localto.net:4816:4816

sb7fmp5.localto.net:4816:5432

sb7fmp5.localto.net:4816:46510

computers-medications.gl.at.ply.gg:8848

computers-medications.gl.at.ply.gg:5555

computers-medications.gl.at.ply.gg:4816

computers-medications.gl.at.ply.gg:5432

computers-medications.gl.at.ply.gg:46510

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  DoomRatBuilder.zip
- Size
  
  13.0MB
- MD5
  
  3c276bca2ec2bd57e202054f656cf9f1
- SHA1
  
  286d6f2cfe420316d334dd6b3fe72ee722baad6f
- SHA256
  
  74cfc057cbfeb17b52c02abd1628a732f88509ae3bdcf43acd2621fc89e64bce
- SHA512
  
  1fafba85fcfe24433d0540c92fb3d8569b5fe70e9ef8d007bb0b34d793fe0cffe6b1b546fdbf46d0a085e3a7d2b91f3567128dff2494a24c1d895249d9d62d60
- SSDEEP
  
  393216:y2Ms95kubaxzRJ80LBRszNZ88u3RNu+xTmXleTi5:yhsPba5RDtRsRZ88ERPUXh
Score

10^/10

asyncrat berbew blackmoon blankgrabber cobaltstrike cybergate discord.gg/scamalerts koiloader mydoom ramnit sality xworm 6 default habbo anti vm apt group backdoor access banking trojan bootkit malware botnet controller clipper malware crypter data collection upx packer adware backdoor banker collection defense_evasion discord discovery evasion execution loader pyinstaller rat spyware stealer themida trojan upx worm
- 6bXW8llvSi
  SKIBIDI TOILET SKIBIDI TOILET SKIBIDI TOILET!!!!.
  adware anti vm apt group upx packer backdoor access banking trojan bootkit malware botnet controller clipper malware data collection crypter
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Berbew
  Berbew is a backdoor written in C++.
  backdoor berbew
- Berbew family
  berbew
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Blankgrabber family
  blankgrabber
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Cobaltstrike family
  cobaltstrike
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Cybergate family
  cybergate
- Detect Blackmoon payload
- Detect Xworm Payload
- Detect discord webhook
  This file contains a discord webhook.
  discord
- Detects MyDoom family
- Discord.gg/Scamalerts family
  discord.gg/scamalerts
- KoiLoader
  KoiLoader is a malware loader written in C++.
  loader koiloader
- Koiloader family
  koiloader
- MyDoom
  MyDoom is a Worm that is written in C++.
  worm mydoom
- Mydoom family
  mydoom
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- Sality family
  sality
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- blankgrabber
  Blankgrabber is an infostealer written in Python and packaged with Pyinstaller.
  stealer blankgrabber
- Async RAT payload
  rat
- Detects KoiLoader payload
  loader
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Modifies Windows Firewall
  evasion
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1