asyncrat | 8bd4e5638b1e7e663c793a1e53bc44ba23e671e1a9f77c8bd8d1928f971cb131 | Triage

Sharing

General

Target

8bd4e5638b1e7e663c793a1e53bc44ba23e671e1a9f77c8bd8d1928f971cb131
Size

1.1MB
Sample

241110-de471a1lgr
MD5

9b825be916bc8914b9ffcf4f5426241c
SHA1

587eae0d81d563668f25258711d47958b41ae4cb
SHA256

8bd4e5638b1e7e663c793a1e53bc44ba23e671e1a9f77c8bd8d1928f971cb131
SHA512

8cc12b0e52cbdd24c9809c311b942c530264d58e15f1aeeb1f51d3c219e3489b3ae8bc9457131ae302956c78b54aca1e611ba48a7cf6ca7e495588333ad348e3
SSDEEP

24576:sgmyZEbdsW36Dfw7TNs9a7WFZgGdT8jANa/D1Gi:s9WEbBIaCGWFZQAqD7

Score

10^/10

asyncrat default discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

isabelaflores.fun:7000

Mutex

ServicesMutex_qwqdanchun

Attributes

delay
240
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  274e4c594cfadeda5b78076c2791ab57d35b6b9bab954c30a2053d17812e1aa5.exe
- Size
  
  1.9MB
- MD5
  
  73ce5f094321f2683b7846397b3d5a8c
- SHA1
  
  d17102bc9d37a5ff9506dfbf94d0608378fae2c6
- SHA256
  
  274e4c594cfadeda5b78076c2791ab57d35b6b9bab954c30a2053d17812e1aa5
- SHA512
  
  20eac921ba5dbc25ac0b751c768540fb3d54b4b359ce638dd7168bf57e12c0450a1b42db0c90b59be49c84fad289ee5e7b5e3ac683d66664d0d5f1adccc89c8e
- SSDEEP
  
  24576:oDlxLeM+sLqZS62SiyY4TWKaJTXogjqpn5WMAw3FKvKvPoxBoOux5lUA4X+he6P2:K3Ci334noyvnbzJ8eF
Score

10^/10

asyncrat default discovery evasion execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- UAC bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoveryevasionexecutionpersistencerattrojan

behavioral2

asyncratdefaultdiscoveryevasionexecutionpersistencerattrojan