General
-
Target
GWAesWUtovxi.reg
-
Size
89KB
-
Sample
241107-1xq5esymaz
-
MD5
323c88be877acaf1d30d09455764f565
-
SHA1
c0e83aa25be2983b57b769f45020aeec0d21dcca
-
SHA256
92148c6f69a95bed4abcd9efb43b89f0bd7287b4f418583f0008771c72699386
-
SHA512
559b4eab3c757adefc350b6e18c856576b7f6135e322362e8e2d109d86cf3e0bbcf845a78b13fd21d9b70eb774f211c7c5e360afaac1dc0793fdd3f88dce7a49
-
SSDEEP
1536:kram9i90orQOvnklnTyFKEnZ4DE3wE+nM1akaATP93HOl7GrF6a/ktxooow+:kramI91nkBsfnw4TP9XOl7Pptuoow+
Malware Config
Extracted
asyncrat
0.5.8
Default
4.tcp.eu.ngrok.io:2024
4.tcp.eu.ngrok.io:13752
RkZ0iMw0b8YJ
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
GWAesWUtovxi.reg
-
Size
89KB
-
MD5
323c88be877acaf1d30d09455764f565
-
SHA1
c0e83aa25be2983b57b769f45020aeec0d21dcca
-
SHA256
92148c6f69a95bed4abcd9efb43b89f0bd7287b4f418583f0008771c72699386
-
SHA512
559b4eab3c757adefc350b6e18c856576b7f6135e322362e8e2d109d86cf3e0bbcf845a78b13fd21d9b70eb774f211c7c5e360afaac1dc0793fdd3f88dce7a49
-
SSDEEP
1536:kram9i90orQOvnklnTyFKEnZ4DE3wE+nM1akaATP93HOl7GrF6a/ktxooow+:kramI91nkBsfnw4TP9XOl7Pptuoow+
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
System Binary Proxy Execution: Regsvcs/Regasm
Abuse Regasm to proxy execution of malicious code.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
1System Binary Proxy Execution
1Regsvcs/Regasm
1