asyncrat | af6f7df9365641509b238d493361ef2cafad9d78dba256eb56f625d193f1d19a | Triage

Sharing

General

Target

67fadce533b77bce7bc46986e277647e.bz2
Size

2KB
Sample

241119-vx4smatmck
MD5

67fadce533b77bce7bc46986e277647e
SHA1

43155db3a192992fac576528c8827b3c47fdb683
SHA256

af6f7df9365641509b238d493361ef2cafad9d78dba256eb56f625d193f1d19a
SHA512

89aeb44793933c6ea32041c47950c582963d43d78a9ebbdcd212995bba8373a4d2ad8cf74a37770ba03ba1ed9f5c7a9f556869d5fd26bf229472e917152da808

Score

10^/10

asyncrat 19 defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Extracted

Family

asyncrat

Version

1.0.7

Botnet

19

C2

sanchezsanches2025.duckdns.org:6666

Mutex

sdfgsghdfg3456345645

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Informacion detallada proceso de citacion fiscalia No Radicado#2024-996569-66332368-999650023-PDF.vbs
- Size
  
  207KB
- MD5
  
  3a463161808ec6ca767d6f33717b6d09
- SHA1
  
  dfce6272aca63db2237c10b8dfc1f049bd2a69da
- SHA256
  
  3b2f343d09a33b6f15664c3c7cab05b149470aa2c1320784326b03eb66b5aa61
- SHA512
  
  24d960b49be770f85ecac0bd7c53f7963d05317de23c3c4c0a722a644e1a3642f618956f46858a7e2fda6f2996bee0bbc5ac97c552e8269dab3c822ee52ca52f
- SSDEEP
  
  384:233333333333333333333333333333333333333333333333333333333333333q:WlzLjW
Score

10^/10

defense_evasion discovery execution asyncrat 19 rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncrat19defense_evasiondiscoveryexecutionrat