asyncrat | 86ca81b6d7f0d020571ab9e3c586d9066bef48f82c3b4aa4abec0e0d86a48765 | Triage

Sharing

General

Target

sostener.vbs
Size

3.3MB
Sample

241120-xq4kds1pft
MD5

caa101219c251ee08a30546134d6c2b0
SHA1

23ada7a16f8151997e75fbc7e492ea74eaaf81dc
SHA256

86ca81b6d7f0d020571ab9e3c586d9066bef48f82c3b4aa4abec0e0d86a48765
SHA512

0a241d53ad5bfb3a5e75008968f2cb5d32bf08143e0c0fba29f5447f88cef78d56f822abf5f083413525856edb639e8b8601a8da895ae6d45929b7138c8033a8
SSDEEP

384:bfffftfffftfffftffff9fffftfffftfffftffff4fffftfffftfffftffff9ffH:tDn1C

Score

10^/10

asyncrat server defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Server

C2

dcratwas.duckdns.org:35650

dcratwas.duckdns.org:5999

dcratwas.duckdns.org:46452

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  sostener.vbs
- Size
  
  3.3MB
- MD5
  
  caa101219c251ee08a30546134d6c2b0
- SHA1
  
  23ada7a16f8151997e75fbc7e492ea74eaaf81dc
- SHA256
  
  86ca81b6d7f0d020571ab9e3c586d9066bef48f82c3b4aa4abec0e0d86a48765
- SHA512
  
  0a241d53ad5bfb3a5e75008968f2cb5d32bf08143e0c0fba29f5447f88cef78d56f822abf5f083413525856edb639e8b8601a8da895ae6d45929b7138c8033a8
- SSDEEP
  
  384:bfffftfffftfffftffff9fffftfffftfffftffff4fffftfffftfffftffff9ffH:tDn1C
Score

10^/10

defense_evasion discovery execution asyncrat server rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncratserverdefense_evasiondiscoveryexecutionrat