asyncrat | 5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b | Triage

Sharing

General

Target

5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat
Size

11KB
Sample

241126-c359jawpbp
MD5

4527c576f1af0580c8d96ac23c8f761c
SHA1

dac3bf00eeb34c9c1d9dca63973f2e04da045383
SHA256

5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b
SHA512

7afacd9324fd02c60e927c71d8c4c6b3317984869224da2e6311a4a5963ebb74615ada91af129f9083d771dc069b4578c895c42f8d9154e814e94f8cc28361b9
SSDEEP

192:kffffffffffffffffffffhffffffffffffffffffffQv/sfffffffffffffffffZ:kffffffffffffffffffffhfffffffffT

Score

10^/10

asyncrat ducksex discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg

Extracted

Family

asyncrat

Version

| CRACKED BY DEXTER-LY

Botnet

ducksex

C2

ducksex.ddnsfree.com:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat
- Size
  
  11KB
- MD5
  
  4527c576f1af0580c8d96ac23c8f761c
- SHA1
  
  dac3bf00eeb34c9c1d9dca63973f2e04da045383
- SHA256
  
  5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b
- SHA512
  
  7afacd9324fd02c60e927c71d8c4c6b3317984869224da2e6311a4a5963ebb74615ada91af129f9083d771dc069b4578c895c42f8d9154e814e94f8cc28361b9
- SSDEEP
  
  192:kffffffffffffffffffffhffffffffffffffffffffQv/sfffffffffffffffffZ:kffffffffffffffffffffhfffffffffT
Score

10^/10

execution asyncrat ducksex discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratducksexdiscoveryexecutionrat