asyncrat

General

Target

70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.gz
Size

12.9MB
Sample

241128-wvelds1lhj
MD5

ac7dceb4a85cb4250ac1268f8a3d7481
SHA1

fdc57ca604746204049368a5d23e6c2893590d42
SHA256

38a22130997f3fd2afd7d0773735c729eca349ad93455866ad02543109f4329a
SHA512

912cf8aaa594e0838d332fd5d67c1b212887adffcaf765911dda048e23c7e57d4531cb3395cf57f9be6e12c79402863c21af605dfabee854c0dd3e2e435533fd
SSDEEP

196608:6Gy8SAdVkkiPx5yAPpl0AOIy/w4n2uMhrM0yEtWoGcUKJvbdS8VylZhBqhcDy:6Gy8LXBIRo6u6rM0LgkUKJzdSLnhkN

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.101.7:6606

192.168.101.7:7707

192.168.101.7:8808

192.168.101.7:1111

192.168.101.7:2222

192.168.101.7:3333

192.168.101.7:4444

192.168.101.7:5555

192.168.101.7:6666

192.168.101.7:7777

192.168.101.7:8888

192.168.101.7:9999

Mutex

H6EV9c34IZEW

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.101.7:1604

192.168.101.7:1605

192.168.101.7:1606

192.168.101.7:1607

192.168.101.7:1608

192.168.101.7:1609

192.168.101.7:1610

192.168.101.7:1611

192.168.101.7:1612

192.168.101.7:1613

192.168.101.7:1614

192.168.101.7:1615

192.168.101.7:1616

192.168.101.7:1617

192.168.101.7:1618

192.168.101.7:1619

192.168.101.7:1620

192.168.101.7:1621

192.168.101.7:1622

192.168.101.7:1623

Mutex

DC_MUTEX-J7WY70H

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
a7kB2AAlrgH4
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.gz
- Size
  
  12.9MB
- MD5
  
  ac7dceb4a85cb4250ac1268f8a3d7481
- SHA1
  
  fdc57ca604746204049368a5d23e6c2893590d42
- SHA256
  
  38a22130997f3fd2afd7d0773735c729eca349ad93455866ad02543109f4329a
- SHA512
  
  912cf8aaa594e0838d332fd5d67c1b212887adffcaf765911dda048e23c7e57d4531cb3395cf57f9be6e12c79402863c21af605dfabee854c0dd3e2e435533fd
- SSDEEP
  
  196608:6Gy8SAdVkkiPx5yAPpl0AOIy/w4n2uMhrM0yEtWoGcUKJvbdS8VylZhBqhcDy:6Gy8LXBIRo6u6rM0LgkUKJzdSLnhkN
Score

10^/10

asyncrat darkcomet default guest16 discovery evasion persistence privilege_escalation rat trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Async RAT payload
  rat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2