asyncrat | f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249 | Triage

Resubmissions

08-12-2024 20:18

241208-y3bktatmfw 10

23-11-2024 19:37

241123-yb3vzssnfz 10

Sharing

General

Target

IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs
Size

207KB
Sample

241208-y3bktatmfw
MD5

6fb4803325e9551ee65380e39a58b250
SHA1

8fd05fec3c193676864b0eec7a4d5ba1a118b4ea
SHA256

f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249
SHA512

23c4922fc122038050e1cb37fe728910d5d013bec36a3aecf7ff83148ade88e6df31f4e554a104e17e301dfd7690fe7abfebbba12522c95e422d9c7e3089f899
SSDEEP

384:2747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y74Y:Clz/X

Score

10^/10

asyncrat 14 defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/0FK5ax2D

Extracted

Family

asyncrat

Version

1.0.7

Botnet

14

C2

sanchezsanchez2024.duckdns.org:6666

Mutex

DcRatMutex_qwqdanchunSFDGHSDF

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  IMAGENES FOTO COMPARENDOS SIMIT INFRACCIONES DETALLES #2024-666663265889-999658959-PDF.vbs
- Size
  
  207KB
- MD5
  
  6fb4803325e9551ee65380e39a58b250
- SHA1
  
  8fd05fec3c193676864b0eec7a4d5ba1a118b4ea
- SHA256
  
  f2210b872fa03ec869ad401139fb07405005043d9adeae4ae9bcc0a837b9b249
- SHA512
  
  23c4922fc122038050e1cb37fe728910d5d013bec36a3aecf7ff83148ade88e6df31f4e554a104e17e301dfd7690fe7abfebbba12522c95e422d9c7e3089f899
- SSDEEP
  
  384:2747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y7474747Y74Y:Clz/X
Score

10^/10

defense_evasion discovery execution asyncrat 14 rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

asyncrat14defense_evasiondiscoveryexecutionrat