asyncrat | 5ef95b38828c6d99c6cc41f377373c7b1c6d5b48c6f63ceeb2b103daec226716 | Triage

Sharing

General

Target

5ef95b38828c6d99c6cc41f377373c7b1c6d5b48c6f63ceeb2b103daec226716.exe
Size

45KB
Sample

241214-ekjnxstlfv
MD5

b2fa91466cc86844ab15094d1977ef6d
SHA1

1b906455b8a22316777379b36bc686c3f02079cd
SHA256

5ef95b38828c6d99c6cc41f377373c7b1c6d5b48c6f63ceeb2b103daec226716
SHA512

1652caa85ce027a627796ba8cb83dbbb2f8a3900c3c366d7ee6609808334048a5c0dc69c62e798b95879c891c4de49e6fef3b7e7bd4605646a464a72e43dd785
SSDEEP

768:1umC1TVMOvtWUNb2nmo2qztKjPGaG6PIyzjbFgX3imGmJUxjhR5UBDZ/x:1umC1TVd22kKTkDy3bCXSwujn5id/x

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1337

127.0.0.1:16335

127.0.0.1:11195

18.119.130.176:6606

18.119.130.176:7707

18.119.130.176:8808

18.119.130.176:1337

18.119.130.176:16335

18.119.130.176:11195

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:1337

2.tcp.ngrok.io:16335

2.tcp.ngrok.io:11195

8.tcp.ngrok.io:6606

8.tcp.ngrok.io:7707

Mutex

Yp91dpbmYOAB

Attributes

delay
3
install
true
install_file
RtlUpdate.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  5ef95b38828c6d99c6cc41f377373c7b1c6d5b48c6f63ceeb2b103daec226716.exe
- Size
  
  45KB
- MD5
  
  b2fa91466cc86844ab15094d1977ef6d
- SHA1
  
  1b906455b8a22316777379b36bc686c3f02079cd
- SHA256
  
  5ef95b38828c6d99c6cc41f377373c7b1c6d5b48c6f63ceeb2b103daec226716
- SHA512
  
  1652caa85ce027a627796ba8cb83dbbb2f8a3900c3c366d7ee6609808334048a5c0dc69c62e798b95879c891c4de49e6fef3b7e7bd4605646a464a72e43dd785
- SSDEEP
  
  768:1umC1TVMOvtWUNb2nmo2qztKjPGaG6PIyzjbFgX3imGmJUxjhR5UBDZ/x:1umC1TVd22kKTkDy3bCXSwujn5id/x
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

ratdefaultasyncrat

behavioral1

asyncratdefaultdiscoveryrat

behavioral2

asyncratdefaultdiscoveryrat