asyncrat | a3bc7c27473789a4dda4379a748286413ca2c99933dc71abdaf7f9c67649d854 | Triage

Sharing

General

Target

29cad1dbb662f9b780faa88458d0493f
Size

2KB
Sample

241119-t9yxgaybrg
MD5

29cad1dbb662f9b780faa88458d0493f
SHA1

e7c02f1f8d3dd4664ca4f2dd2e29445f41704248
SHA256

a3bc7c27473789a4dda4379a748286413ca2c99933dc71abdaf7f9c67649d854
SHA512

b7120a545f9627fc6cfcf58dff7dc754be503caabf376e1d984cf3edfe1ae211ca074554bdf2c8ed7980eba6f167b3d987df478691588bb2c9f8a1746b328822

Score

10^/10

asyncrat 18 defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Extracted

Family

asyncrat

Version

1.0.7

Botnet

18

C2

sanchezsanchez2024.duckdns.org:6666

Mutex

654KJGKGKHJGJFF5T44444888

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  ACTA DE FOTO COMPARENDOS IMAGENES DETALLADAS RADICADO No 2024-99663326-9966566-9996589-JPG.vbs
- Size
  
  207KB
- MD5
  
  435df20a9b01d9e40b5c8bfcc0d854f3
- SHA1
  
  ae3f4580799db52473bd2dc41db7903819f3d8e1
- SHA256
  
  3a27d687ad30981166c9b94a4bb30eaf4cb57ceaa6276531c544c0073047a0ff
- SHA512
  
  613f815e2bcc7dbcc0c1dc591c9ba551678ec32d8bdeae58be17d5ac8cbc663760c65a171696df5ac26a74e4307ea87b10c006397d905e5ef69a8a8d2d75e907
- SSDEEP
  
  192:7///////////////////////////////////////////////////////////////:WHFzLPTnRStYhSXIBoFN
Score

10^/10

defense_evasion discovery execution asyncrat 18 rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncrat18defense_evasiondiscoveryexecutionrat