asyncrat

General

Target

53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
Size

785KB
Sample

241214-xr7nfasrcp
MD5

54dbe54846a05d5a1677a5ab2970bd6a
SHA1

4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
SHA256

53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
SHA512

f4778a6162b01bcfbb4d26b4686c9caea803b995b74d9f1c080eda0a431820827ddd9601265c23c1220de36faeb75c5e3b738b8adadf1ca76a5a350552b5bf4a
SSDEEP

12288:5NMKhM39TXsTAiYRH3wbrccYpea/jiAsRaT21tKkxRzb53/x6Io5kZaiB:HMaciYlwkp5/o0i1tVRp6IfB

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
- Size
  
  785KB
- MD5
  
  54dbe54846a05d5a1677a5ab2970bd6a
- SHA1
  
  4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
- SHA256
  
  53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
- SHA512
  
  f4778a6162b01bcfbb4d26b4686c9caea803b995b74d9f1c080eda0a431820827ddd9601265c23c1220de36faeb75c5e3b738b8adadf1ca76a5a350552b5bf4a
- SSDEEP
  
  12288:5NMKhM39TXsTAiYRH3wbrccYpea/jiAsRaT21tKkxRzb53/x6Io5kZaiB:HMaciYlwkp5/o0i1tVRp6IfB
Score

10^/10

asyncrat stormkitty default discovery execution persistence privilege_escalation rat spyware stealer phishing
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024121470654PMSystemWindows10Pro64BitUsernameAdminCompNameUTKBEBLOLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.1.108ExternalIP181.215.176.83BSSID96a825be0f94DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2