Overview

overview

10

Static

static

3

PureRcsAdv...s..scr

windows7-x64

10

PureRcsAdv...s..scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PureRcsAdvTokenGrabbernls..scr

  • Size

    3.0MB

  • Sample

    241220-rx1jesxmgy

  • MD5

    29ee9836013142f0f63c6813944c7021

  • SHA1

    90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78

  • SHA256

    7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1

  • SHA512

    482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e

  • SSDEEP

    49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8

Score
10/10
asyncratexpolergoogle chromemetamaskwindows defenderdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MetaMask

C2

51.103.217.70:6677

Mutex

MetaMask

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Google Chrome

C2

51.103.217.70:8585

Mutex

Google Chrome

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Windows Defender

C2

51.103.217.70:8585

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Expoler

C2

51.103.217.70:6677

Mutex

Expoler

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      PureRcsAdvTokenGrabbernls..scr

    • Size

      3.0MB

    • MD5

      29ee9836013142f0f63c6813944c7021

    • SHA1

      90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78

    • SHA256

      7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1

    • SHA512

      482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e

    • SSDEEP

      49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8

    Score
    10/10
    asyncratexpolergoogle chromemetamaskwindows defenderdiscoveryexecutionpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks