asyncrat | 2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80 | Triage

Sharing

General

Target

2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80.vbs
Size

1.9MB
Sample

241203-cm1n4svkd1
MD5

bb16b36f5fe5781959183b0acd63de8b
SHA1

f764941cab201f441d31edd23120961966799880
SHA256

2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80
SHA512

57b422dd4cb49dca2e4f3a143c6a995f574f407be5e4c1cdd2b6b20ff422df59732bacf501a0988799d8c40e33f6af1791035461ee2d4e740e33da42d35eea06
SSDEEP

192:DlVUdVoZvsBef7e3vtEMUETN9BgKm6w56Hy:CQb7SOE9Tm6wd

Score

10^/10

asyncrat tarea 2 discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

tarea 2

C2

wins.cooempresasltda5.store:8000

Mutex

DcRatMutex_qwsafun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80.vbs
- Size
  
  1.9MB
- MD5
  
  bb16b36f5fe5781959183b0acd63de8b
- SHA1
  
  f764941cab201f441d31edd23120961966799880
- SHA256
  
  2810c06ccf0230a24179363862bfd4e88dab05b1b39fb229d75b8f01973fdb80
- SHA512
  
  57b422dd4cb49dca2e4f3a143c6a995f574f407be5e4c1cdd2b6b20ff422df59732bacf501a0988799d8c40e33f6af1791035461ee2d4e740e33da42d35eea06
- SSDEEP
  
  192:DlVUdVoZvsBef7e3vtEMUETN9BgKm6w56Hy:CQb7SOE9Tm6wd
Score

10^/10

execution asyncrat tarea 2 discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncrattarea 2discoveryexecutionrat