asyncrat | 9c9d83deb8c4aa7af8b8495f1cacb657041c6a9658f01f9c1645f363f8a03b37 | Triage

Sharing

General

Target

02d12bf75138c164b2dc3c8acef1cae6
Size

2KB
Sample

241114-s7lzfs1drr
MD5

02d12bf75138c164b2dc3c8acef1cae6
SHA1

b0635c603f5cda3e83768f574a9d6672122baf8d
SHA256

9c9d83deb8c4aa7af8b8495f1cacb657041c6a9658f01f9c1645f363f8a03b37
SHA512

94d5cff8361498edadf7504845f43b36237b5ff4554067c844a65f5af5949a4adcdb6e7d65bbb0de6caa9f6bb0fe1132712bd0d793d62b9dd447453b96740c72

Score

10^/10

asyncrat 14 defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Extracted

Family

asyncrat

Version

1.0.7

Botnet

14

C2

sanchezsanchez2024.duckdns.org:6666

Mutex

DcRatMutex_qwqdanchunSFDGHSDF

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  INFORMACION RAMA JUDICIAL PROCESO PENAL N0 RADICADO 2024-99659-9900236-999669-PDF.vbs
- Size
  
  207KB
- MD5
  
  438d60b529450e6976d4eaa1562328d6
- SHA1
  
  e77ee5f7c92af0b8ad348515315c7a6eba0e00b6
- SHA256
  
  0da4e2f6dea5afb3404219e00ca415c8cef6a5f556a3365be274881e62f3aebd
- SHA512
  
  87daca922d36625f5a58d4dc77cb318ec70d000d6f0caf62fc78cf145cb2e46bd9b77f30b389555f23391377894c2e63115e4f8e9ec649fb1c57f7f03c5d3832
- SSDEEP
  
  192:+QkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQkQk9:4HFzLPTLgeJOXA9vfTfpfRJaV27
Score

10^/10

defense_evasion discovery execution asyncrat 14 rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncrat14defense_evasiondiscoveryexecutionrat