Extracted

• • Target

    Statement.Client.exe

  • Size

    81KB

  • MD5

    096c0bb01099ae31a11f12c4643b02de

  • SHA1

    5fecc71c4991d3bd64142fee92d5dd9cb689743c

  • SHA256

    72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371

  • SHA512

    52395e5e344cb6ce5e9b92db081c8c5ca240df18917c25ba876793dcee4774b42b80356a6cf47d854a2f5a5179f4ffd0e64cfa79056960b9f479e0e1934b428c

  • SSDEEP

    1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYYb7xJoZ:7enkyfPAwiMq0RqRfbaWZJYYbj0

  Score

  10^/10

  discoverypersistenceasyncratdefaultexecutionrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Manipulates Digital Signatures

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets service image path in registry

    persistence

  • Adds Run key to start application

    persistence

  • Downloads MZ/PE file

  • Network Service Discovery

    Attempt to gather information on host's network.

    discovery

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2