asyncrat | 272e59a8e2a586fcefe28bdab59c1e557a935017c186804f5fd46f9079058fff | Triage

Sharing

General

Target

df300540e4f9d825f765e85a269f881e.001
Size

9KB
Sample

241126-2px4fazngj
MD5

df300540e4f9d825f765e85a269f881e
SHA1

10bd137f4217a7399ecb925754934780b0144ec9
SHA256

272e59a8e2a586fcefe28bdab59c1e557a935017c186804f5fd46f9079058fff
SHA512

e284d3cf2a9346f3a06f9716042b9b9dba6f20b2f392da69afc8c8c975fe8928214b81b7194ba801773fa60fe0d91aa7ad051fb1a26398754c05409c4e5454ea
SSDEEP

192:kl0E5xRPMqe1Y6LWvhrj8wQEstCnpmcUsSDwUEjbDuKUvqi/JO0:y0EXVLcY6i9yEY+XBSibDISF0

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/rE7gKnsP

exe.dropper

https://pastebin.com/raw/rE7gKnsP

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

perroshp.duckdns.org:3030

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  00254-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA DEMANDA JUZGADO PENAL CIRCUITO RAMA JUDICIAL/012-ENVIO NOTIFICACION ELECTRONICA.vbs
- Size
  
  30.4MB
- MD5
  
  2063532fceeb572f8611f222dffd01ed
- SHA1
  
  f0d1938c04c06c9fa2f9f64408159f8a18404e0a
- SHA256
  
  980a6398745d8c656a7270b782d779c7328ceffa91e8bafb2020d0983ee1c1aa
- SHA512
  
  5bd582557408bd505e6c586690b12cd3a7463372c6f4aa1801c76d75dee7ad1c31a2515f3f508d875c806fc7d7f1a1e7be3e4f451029ff548346bfae0e2a3a97
- SSDEEP
  
  384:SHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPHPA:eECOzjL1
Score

10^/10

execution asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultdiscoveryexecutionrat