asyncrat

General

Target

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
Size

601KB
Sample

241210-zqsh8sykev
MD5

1c75af06fed42c673ab69aa48063040a
SHA1

2011344f404ee41a3769d476d5443c05c1a80c87
SHA256

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9
SHA512

ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0
SSDEEP

6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK0:EIrIHFnfCyhEqll4wAJ+mXRtHp

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5048659266:AAFJQRcRFhUzXFoT4Bj40d1LFuM0IyNZ7y4/sendMessage?chat_id=5038570348

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
- Size
  
  601KB
- MD5
  
  1c75af06fed42c673ab69aa48063040a
- SHA1
  
  2011344f404ee41a3769d476d5443c05c1a80c87
- SHA256
  
  4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9
- SHA512
  
  ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0
- SSDEEP
  
  6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK0:EIrIHFnfCyhEqll4wAJ+mXRtHp
Score

10^/10

asyncrat stormkitty default discovery execution persistence privilege_escalation rat spyware stealer phishing
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024121085558PMSystemWindows10Pro64BitUsernameAdminCompNameYQRLKYONLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.100ExternalIP181.215.176.83BSSID36fc6a1b5805DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2