asyncrat

General

Target

asegurar.vbs
Size

139KB
Sample

241125-h122zs1lgl
MD5

b6a19737eef49bc1fda3686ea04fefd2
SHA1

e4f14e237fcd865694ce29862f58c063c0efe995
SHA256

93db398a854042d2a23e61cd308a05d21fb85a6b5c28206c585a6221ac583cd6
SHA512

03145176ca0d828034a4c6907213bcf6478a64134a9fd7a79026ea5ae250dc79d43da1d0cb005e18d0be4bb46373d36302f7369bfc5457be745ba3f50072e887
SSDEEP

3072:boU4gHKIuQzOTbEeqZfCPgyoL4EairFgt5pJGwm:bLKAubqZTyo9

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Tar22

C2

7014vj.duckdns.org:8000

Mutex

DcRatMutex_qwsafun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  asegurar.vbs
- Size
  
  139KB
- MD5
  
  b6a19737eef49bc1fda3686ea04fefd2
- SHA1
  
  e4f14e237fcd865694ce29862f58c063c0efe995
- SHA256
  
  93db398a854042d2a23e61cd308a05d21fb85a6b5c28206c585a6221ac583cd6
- SHA512
  
  03145176ca0d828034a4c6907213bcf6478a64134a9fd7a79026ea5ae250dc79d43da1d0cb005e18d0be4bb46373d36302f7369bfc5457be745ba3f50072e887
- SSDEEP
  
  3072:boU4gHKIuQzOTbEeqZfCPgyoL4EairFgt5pJGwm:bLKAubqZTyo9
Score

10^/10

execution asyncrat tar22 discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2