asyncrat | 89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4 | Triage

Sharing

General

Target

89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4.exe
Size

513KB
Sample

241108-dvfjksvalq
MD5

8d8718cc95ecf6af196cc0c0eaac9ae2
SHA1

0c822251da19e4f9f5a0b555d85fcf8813034b32
SHA256

89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4
SHA512

98a74f1db9a7334f05327d871e7aa4e3b264d2cc36709df6e625edb79dde1e49a355b439fa7b72e6a5714a9c2e5b8807aa94aa137fee36c78388bbeeb9445114
SSDEEP

12288:iE/ShrODzyPjurrSN/nGtZr0IMr3xYokt9mROPBMzt:d/2PAShG30X3um3B

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Default

C2

lastofdr51.mywire.org:6606

lastofdr51.mywire.org:7707

lastofdr51.mywire.org:8808

Nightmare15.strangled.net:6606

Nightmare15.strangled.net:7707

Nightmare15.strangled.net:8808

darkenssnight.ydns.eu:6606

darkenssnight.ydns.eu:7707

darkenssnight.ydns.eu:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
SystemUpdate.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4.exe
- Size
  
  513KB
- MD5
  
  8d8718cc95ecf6af196cc0c0eaac9ae2
- SHA1
  
  0c822251da19e4f9f5a0b555d85fcf8813034b32
- SHA256
  
  89d813e660f2438c15b502fe9cba3a61dd069a4f4fafded91feac3039731bdb4
- SHA512
  
  98a74f1db9a7334f05327d871e7aa4e3b264d2cc36709df6e625edb79dde1e49a355b439fa7b72e6a5714a9c2e5b8807aa94aa137fee36c78388bbeeb9445114
- SSDEEP
  
  12288:iE/ShrODzyPjurrSN/nGtZr0IMr3xYokt9mROPBMzt:d/2PAShG30X3um3B
Score

10^/10

asyncrat default discovery execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoveryexecutionrat

behavioral2

asyncratdefaultdiscoveryexecutionrat