asyncrat | a816dde75699e34081f10b3c70c6a1b847a25966ba6844c7f62da0d35ad95402 | Triage

Sharing

General

Target

a816dde75699e34081f10b3c70c6a1b847a25966ba6844c7f62da0d35ad95402.exe
Size

569KB
Sample

241123-1tcsmaylcz
MD5

baafb44a3a3f70dd1e009c04b9c88297
SHA1

25b542946dd20f80773387a44352696f58f76cba
SHA256

a816dde75699e34081f10b3c70c6a1b847a25966ba6844c7f62da0d35ad95402
SHA512

1ebd9f5d3515a973a4c45cfbbdc3fb227f457d2fbba03873eefc397cf0da72a29a12887466b3e2795a90b2a3b8c95024319324f075275421f39eac8b49ed0f11
SSDEEP

12288:f20IpfjSt64LnnhlgVRZ7K/Tk7SP0q6qKLnHEbpt26XE85RSKoTx:fPemtrLnY7ETMi07ZCU

Score

10^/10

asyncrat default discovery evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

194.5.97.229:1195

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  a816dde75699e34081f10b3c70c6a1b847a25966ba6844c7f62da0d35ad95402.exe
- Size
  
  569KB
- MD5
  
  baafb44a3a3f70dd1e009c04b9c88297
- SHA1
  
  25b542946dd20f80773387a44352696f58f76cba
- SHA256
  
  a816dde75699e34081f10b3c70c6a1b847a25966ba6844c7f62da0d35ad95402
- SHA512
  
  1ebd9f5d3515a973a4c45cfbbdc3fb227f457d2fbba03873eefc397cf0da72a29a12887466b3e2795a90b2a3b8c95024319324f075275421f39eac8b49ed0f11
- SSDEEP
  
  12288:f20IpfjSt64LnnhlgVRZ7K/Tk7SP0q6qKLnHEbpt26XE85RSKoTx:fPemtrLnY7ETMi07ZCU
Score

10^/10

asyncrat default discovery evasion execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoveryevasionexecutionrat

behavioral2

asyncratdefaultdiscoveryevasionexecutionrat