asyncrat

Target

RIP_YOUR_PC_LOL.exe
Size

22.5MB
Sample

241204-x3662sspbq
MD5

52867174362410d63215d78e708103ea
SHA1

7ae4e1048e4463a4201bdeaf224c5b6face681bf
SHA256

37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
SHA512

89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
SSDEEP

393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9

Malware Config

Extracted

Family

fickerstealer

80.87.192.115:80

Extracted

Family

redline

Botnet

@zhilsholi

yabynennet.xyz:81

Attributes

auth_value
c2d0b7a2ede97b91495c99e75b4f27fb

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

gfhhjgh.duckdns.org:8050

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
system32.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

mediaget

kazya1.hopto.org:1470

Mutex

a797c6ca3f5e7aff8fa1149c47fe9466

Attributes

reg_key
a797c6ca3f5e7aff8fa1149c47fe9466
splitter
|'|'|

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes

url4cnc
http://194.180.174.53/brikitiki

http://91.219.236.18/brikitiki

http://194.180.174.41/brikitiki

http://91.219.236.148/brikitiki

https://t.me/brikitiki

rc4.plain

Extracted

Family

pony

http://londonpaerl.co.uk/yesup/gate.php

Extracted

Family

azorult

http://195.245.112.115/index.php

Targets

- Target
  
  RIP_YOUR_PC_LOL.exe
- Size
  
  22.5MB
- MD5
  
  52867174362410d63215d78e708103ea
- SHA1
  
  7ae4e1048e4463a4201bdeaf224c5b6face681bf
- SHA256
  
  37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
- SHA512
  
  89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
- SSDEEP
  
  393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
Score

10^/10

asyncrat azorult blackmoon dcrat fickerstealer gh0strat hawkeye nanocore njrat oski pony purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default mediaget banker collection credential_access defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Blackmoon payload
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Fickerstealer family
  fickerstealer
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Hawkeye family
  hawkeye
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Njrat family
  njrat
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Oski family
  oski
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Redline family
  redline
- UAC bypass
  evasion trojan
- Xmrig family
  xmrig
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1