asyncrat | bac0b67b6a6ffaea1aa1cd97802e9e7f45f6ab68f60dc4ebd71f943848530838 | Triage

Submit
Reports

Overview

overview

Static

static

1

7d4fd0768b...7a.bat

windows7-x64

8

7d4fd0768b...7a.bat

windows10-2004-x64

Sharing

General

Target

7d4fd0768b8cba2af39bf88ba789e27a.bat
Size

14KB
Sample

241208-j51kdssqgk
MD5

7d4fd0768b8cba2af39bf88ba789e27a
SHA1

31315e8bc69d8ff9d3764071b0c9def830dabf58
SHA256

bac0b67b6a6ffaea1aa1cd97802e9e7f45f6ab68f60dc4ebd71f943848530838
SHA512

101971fafe90fa9e703bb4d62208f984fe3162044bf30b2ed16f5cd9dc16d2e9a9770fccd37cfee3796b4f222035418dc0ab79df1a99faeb385889341972c754
SSDEEP

192:7xM/+aHdczpj/j3TG996TG1lyXuMFtOxHlsTdEKxnH9ONGUe7FQGIAAApkF32GAI:7xa9e/zw96TG1uWxFtqHtF0YnMF

Score

10^/10

asyncrat default discovery execution rat

Static task

static1

Behavioral task

behavioral1

Sample

7d4fd0768b8cba2af39bf88ba789e27a.bat

Resource

win7-20240903-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

7d4fd0768b8cba2af39bf88ba789e27a.bat

Resource

win10v2004-20241007-en

asyncrat default discovery execution rat

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.125.189.155:8848

Mutex

DcRatMutex_adxzvxv

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  7d4fd0768b8cba2af39bf88ba789e27a.bat
- Size
  
  14KB
- MD5
  
  7d4fd0768b8cba2af39bf88ba789e27a
- SHA1
  
  31315e8bc69d8ff9d3764071b0c9def830dabf58
- SHA256
  
  bac0b67b6a6ffaea1aa1cd97802e9e7f45f6ab68f60dc4ebd71f943848530838
- SHA512
  
  101971fafe90fa9e703bb4d62208f984fe3162044bf30b2ed16f5cd9dc16d2e9a9770fccd37cfee3796b4f222035418dc0ab79df1a99faeb385889341972c754
- SSDEEP
  
  192:7xM/+aHdczpj/j3TG996TG1lyXuMFtOxHlsTdEKxnH9ONGUe7FQGIAAApkF32GAI:7xa9e/zw96TG1uWxFtqHtF0YnMF
Score

10^/10

execution asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultdiscoveryexecutionrat

© 2018-2025

Terms | Privacy