asyncrat | 70cff7636e0aaaef0cf817cbdb6c1375706e711a[.]zip[.]tar[.]gz

Sharing

Copy URL

Twitter E-mail

General

Target

70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.gz
Size

12.9MB
MD5

ac7dceb4a85cb4250ac1268f8a3d7481
SHA1

fdc57ca604746204049368a5d23e6c2893590d42
SHA256

38a22130997f3fd2afd7d0773735c729eca349ad93455866ad02543109f4329a
SHA512

912cf8aaa594e0838d332fd5d67c1b212887adffcaf765911dda048e23c7e57d4531cb3395cf57f9be6e12c79402863c21af605dfabee854c0dd3e2e435533fd
SSDEEP

196608:6Gy8SAdVkkiPx5yAPpl0AOIy/w4n2uMhrM0yEtWoGcUKJvbdS8VylZhBqhcDy:6Gy8LXBIRo6u6rM0LgkUKJzdSLnhkN

Score

10^/10

rat default upx asyncrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

192.168.101.7:6606

192.168.101.7:7707

192.168.101.7:8808

192.168.101.7:1111

192.168.101.7:2222

192.168.101.7:3333

192.168.101.7:4444

192.168.101.7:5555

192.168.101.7:6666

192.168.101.7:7777

192.168.101.7:8888

192.168.101.7:9999

Mutex

H6EV9c34IZEW

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

Async RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/bitcoinaddresutility.config.exe	family_asyncrat

Asyncrat family
asyncrat

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/setup-Btc Address Utility.exe	upx

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/BouncyCastle.Crypto.dll
unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/ThoughtWorks.QRCode.dll
unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/bitcoinaddresutility.config.exe
unpack002/Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/setup-Btc Address Utility.exe

Files

70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.gz
.zip

Password: infected_te_report
70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip
.zip

Password: infected_te_report
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/README.md
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/Bitcoin-note.png
.png

Password: infected_te_report
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/BouncyCastle.Crypto.dll
.dll windows:4 windows x86 arch:x86

Password: infected_te_report

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/ThoughtWorks.QRCode.dll
.dll windows:4 windows x86 arch:x86

Password: infected_te_report

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Source\ThoughtWorks\QRCode\QRCodeLib\obj\Release\ThoughtWorks.QRCode.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/Ubuntu-R.ttf
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/bitcoinaddresutility.config.exe
.exe windows:4 windows x86 arch:x86

Password: infected_te_report

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 179KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/note-Greyscale.png
.png

Password: infected_te_report
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/note-blue.png
.png

Password: infected_te_report
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/note-green.png
.png

Password: infected_te_report
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/note-purple.png
.png
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/note-yellow.png
.png
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/setup-Btc Address Utility.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: - Virtual size: 476KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 247KB - Virtual size: 248KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/source.zip
.zip
Bitcoin-Address-Utility-main/README.md

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected_te_report

Password: infected_te_report

Password: infected_te_report

Password: infected_te_report

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 12B

Password: infected_te_report

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 5.9MB - Virtual size: 5.9MB

.rsrc Size: 4KB - Virtual size: 944B

.reloc Size: 4KB - Virtual size: 12B

Password: infected_te_report

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 44KB - Virtual size: 44KB

.rsrc Size: 179KB - Virtual size: 178KB

.reloc Size: 512B - Virtual size: 12B

Password: infected_te_report

Password: infected_te_report

Password: infected_te_report

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 476KB

UPX1 Size: 247KB - Virtual size: 248KB

.rsrc Size: 4KB - Virtual size: 4KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 12B

.text
Size: 5.9MB - Virtual size: 5.9MB

.rsrc
Size: 4KB - Virtual size: 944B

.reloc
Size: 4KB - Virtual size: 12B

.text
Size: 44KB - Virtual size: 44KB

.rsrc
Size: 179KB - Virtual size: 178KB

.reloc
Size: 512B - Virtual size: 12B

UPX0
Size: - Virtual size: 476KB

UPX1
Size: 247KB - Virtual size: 248KB

.rsrc
Size: 4KB - Virtual size: 4KB