General

  • Target

    AsyncRAT.rar

  • Size

    9.4MB

  • Sample

    241222-1pr2razrfm

  • MD5

    83e8eabf4126f7afb4f46b9b0d0dee71

  • SHA1

    bd992bacef8fd2b7fdb523d9d372838963c21c3a

  • SHA256

    d7f1777e338ff75532c01ef6fb8dd7bdf6fcba46d8ed8c7eba15f34e464b1d21

  • SHA512

    7ea4d3f2c0201a5b99354aeae318babc68508b212b6966b42c6953171570d9e175ec605dd8349a5b316468463ee00c69d7b2e6d92dfed36e4c722aa1d096799d

  • SSDEEP

    196608:hmKNqv0i3vqzvgjrNpRocygvJGHO3WGn5imGUyvtOhgI3:hmwXIogdpRocW9GUmG9tO33

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:2101

jt8iyre.localto.net:55644

Mutex

AbAUwI3PK3e3

Attributes
  • delay

    3

  • install

    false

  • install_file

    winserve.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      AsyncRAT/AsyncRAT.lnk

    • Size

      938B

    • MD5

      11f2bb2a95bfa3212ceafb66deeffdf2

    • SHA1

      e68061495dc371e5a0dbd2c4130e908c680daf9e

    • SHA256

      73394839eb747e047a28514e790c0d7c042488a277d42e984a284c84d3cd1927

    • SHA512

      84af86271738f75d10974972894d21dd5acf4e197fafcd097928fbdcfb71d20c0e8c35c91aa46dc7fc91968603981151f4fc59910dd7fcde95b6bfa843145b57

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Target

      AsyncRAT/Plugins/Chat.dll

    • Size

      367KB

    • MD5

      b230da150aa974d2a0801cef654cbe05

    • SHA1

      ab28e63c165ebd7d43d6d0eed4de2750743b9b27

    • SHA256

      37d41c7042210845593ddd7e5a5e37a37f6605305264d50a30aa2be1686000f6

    • SHA512

      2d81546548b6ed2e799eaaf4766ac9a811344d9f57726bed7270e289234f7b917df07deff9d1f6e93b9f4d186daefcbfd2d0181b12406a0b5b81e3bdffa65aaf

    • SSDEEP

      6144:x5S/ect/xQQq1EFBa1jTfHjGqyREilSwAV:x5G/e1EFQ1jzjGREy

    Score
    1/10
    • Target

      AsyncRAT/Plugins/Extra.dll

    • Size

      375KB

    • MD5

      3bbcb7c7967c714f767d751db17ed1d0

    • SHA1

      ea15b176c5c7073bfa3bb58ebe9280b032414fbc

    • SHA256

      7dd3978e7721f4460d639d17c47fe1307917dbacfb858d0d12e403105cd47089

    • SHA512

      c20bf3b9b4051b050b6efebbe3c6ea54e520d68172f4ef7bbab961169c4479e9c77b39719e0139edd6ff4c4366b355579226f49aa979331ac8ab8c69bf3a165f

    • SSDEEP

      6144:/rUTePJZAbxMCgxth8mzMkv8WLBuqcLA5rm5N8LBOTqi:/jA6jL93J4H

    Score
    1/10
    • Target

      AsyncRAT/Plugins/FileManager.dll

    • Size

      392KB

    • MD5

      9caa1fa3b3b7824167610d309446223d

    • SHA1

      093fa014488ea1ddacf083c398fb8b2d07b8a0e0

    • SHA256

      9d1b94035f381b5183e82a317f001725674c8ea1c5cd82ab5af408f7f53ca19d

    • SHA512

      feba121ed3ccdef26b0c78874c5247cbb223b2992649fed6bbc088bfe952cf86de1145d84666048ad37b0f2c6a9dcd4da95cf972ec790b43deeb1c22322d17e1

    • SSDEEP

      6144:6vqHIAq0cvNthE4a2pO/LyRJPZVjTT6gsduuufuujuFyJTququqqqqqqLffffqpU:6vqH/glcwkU5mgsRU0OGF

    Score
    1/10
    • Target

      AsyncRAT/Plugins/FileSearcher.dll

    • Size

      433KB

    • MD5

      4e1922ee8333847507a34823ed695131

    • SHA1

      5df1f96b0a0a43eadeb101c54864a85cf51e9521

    • SHA256

      a6bdd625fa1d9a7ee66e4ca09ced0b3dca8afd2ad92ecaf44fd9a879b57cb198

    • SHA512

      e4f2bc24f7d44e19580d561599b563ef2d011cffbd64851c867b03aab22e650da55150b6bc9c02389acffe546efdcc17da72204fef4e6e49a53e27be1a290f0a

    • SSDEEP

      6144:TwLb1j1VL6d/kA1EegwpfzSv/OLpvt4WIkE0ej:Tib1jKcA1ow9+Q2WIkE0e

    Score
    1/10
    • Target

      AsyncRAT/Plugins/LimeLogger.dll

    • Size

      368KB

    • MD5

      732839c93b7e0ab6796cb1c4544eda66

    • SHA1

      2dc3d39d74a5b72e6320596f92bcfc15edda3915

    • SHA256

      cd5cdf0eade067fb0d97881258e4e29d88386cc9ec7a6ea315d159d284858857

    • SHA512

      faa264925d636fa743d0448ce97c0b26ed7974b48c2fbf66000993119749d721bc27cf2626c3eaac3b1374abc0d16cca9e8222c4da054d1aeb56b34505fbeec6

    • SSDEEP

      6144:T7qj3iWg0kHC86FItOZrhFx4aXCEzwHyFt:T03iutXCa2g

    Score
    1/10
    • Target

      AsyncRAT/Plugins/Miscellaneous.dll

    • Size

      560KB

    • MD5

      07ba8685ca3faff186f0d9f5400c1117

    • SHA1

      a673a7b55e4cf168856a7d3564a5521f0f8fc4e5

    • SHA256

      783d9d5334aa40f35acf8ff941a6b5bed908fd94dc14a05712b8a9eb9220cd5b

    • SHA512

      358c85a586d8b590497ea180eae76608ef38a4de09b95e907632bbad8f2c522bec4ea5568017ea1120a1553abb2be730006613872fe053b1fc00a36d005ab096

    • SSDEEP

      6144:ZksM6LbRsGOlShLHZIVEvLht0Raf2K/lPqmiGk4IuzvjPEzd4P0m/KUweRq:pM6nRsHlSRLBuwImD5f88B

    Score
    1/10
    • Target

      AsyncRAT/Plugins/Options.dll

    • Size

      378KB

    • MD5

      a1b5048e3f10f7105bd47244b2930137

    • SHA1

      a12cbae3ec815ce704fafb0e2eadb9f31ccbb6f3

    • SHA256

      8dc80b8bf9b3123289e132270e74a31176deec4f74e6ac20d7b6a9fcdb89e8a1

    • SHA512

      fcae7c456f71e03afe2e67954fc3c9491978a54825436c51b351c47adb6cd8a1ef15e0e6f6d99094b986ff910e21a287a7de9e4ca2818221aa858152a8c6dfe9

    • SSDEEP

      6144:k7VK+5AKNyvekG+3IoH3MAYV+kpDBWOcFN94f:kk3Kg731H3Md+XHf9

    Score
    1/10
    • Target

      AsyncRAT/Plugins/ProcessManager.dll

    • Size

      361KB

    • MD5

      fced22a0c1edad786a59703842fd3b14

    • SHA1

      dceabc613c694f7f2f6439ea176988fb373d6a29

    • SHA256

      3ad861ad9bc3edfdd486c060879f4f2450a51757c67f3b514f71381057580218

    • SHA512

      8904c36c364d29244c598895e877d7897547ce2a187adb197ba281a0512ca3ff52464c478fc42a2ec7f614dd0f91dea2dbb31f4af81c6c0f08cd23f79a71f57c

    • SSDEEP

      6144:hyk5beTVvGG3vwtudJgKsvAjHvzA1AXly:wNGGotYJQvgHbKA

    Score
    1/10
    • Target

      AsyncRAT/Plugins/Recovery.dll

    • Size

      600KB

    • MD5

      d8793438a77750cea1b0d7eaad3d0d0d

    • SHA1

      36bb36d6dabaa1285dbe7ba26581322630984c71

    • SHA256

      7fd48ac68f182e0ced2ace00b223fa1d35bd8a20d75600b5400267cd5db5cc84

    • SHA512

      68e00d97edf0ab768d40672d3b39dfcd09d8ff81b3e6abfdcfa8db88d66ae6070c8b6ad2c540538dd6f47da0174f9ab2d48cd7bef95d6021ffb844c71289822d

    • SSDEEP

      12288:3I5Ii5aNgfO5Bt844Wn1JwygRuE4pYGmDonx:3IcqfOryJWnVrYNDIx

    Score
    1/10
    • Target

      AsyncRAT/Plugins/RemoteCamera.dll

    • Size

      452KB

    • MD5

      1b2c9164e625b600e699151de11d9e98

    • SHA1

      2ce0aa3161c641623afd1acfa922fce5f10a709c

    • SHA256

      87938027a63a867b831c86611dc6a2c1fc6af61526dc2269328af4b59e15b1e1

    • SHA512

      aa0785b079059463a1df409380451c2be7c3bd627a199661627815f364689ed3816dc9cb78725fab510d687d6866186f3fbdb62b633554b9a0aa324730487729

    • SSDEEP

      6144:npMSjYV8M+c7YervSBlnzYuYyb5A5XAxCqDS5aVorhdt+b5V20JBmYrtog:nqV8a0OaLYCAQLD8CF5h3t

    Score
    1/10
    • Target

      AsyncRAT/Plugins/RemoteDesktop.dll

    • Size

      390KB

    • MD5

      cd4a9e669264419eca4de564e6272fe0

    • SHA1

      bb69bb1542ea06395df74dbedc98866d6c8a36cb

    • SHA256

      56fd699258a7186f709068c283cd725797bab392e3a6f1cd28f35bbdb3e98e38

    • SHA512

      5addb4f97c7e1cb69e5167e670bd2c3a817e0415f1fd8a5158af7e03e4340a8b1a6d803e85c9ea56415b9e7d3dcb4c352775a6a6b4770443d72114396ffaa1e5

    • SSDEEP

      6144:KdHdVObvTS8nmScJEB/2Jin8SF1hG+ht6Oaynf/wKlWCkKI5J5sZva:xCQ2wHFagf/wKlncg

    Score
    1/10
    • Target

      AsyncRAT/Plugins/SendFile.dll

    • Size

      368KB

    • MD5

      c4b11c003ed1e394597f6a5201826a59

    • SHA1

      8de5d19d0d1638f24718bf87c3245cef74f48341

    • SHA256

      1a717c40ff7f60c18953b46a69a8fc47cce7dad6116cd3715deb2abf0d80722d

    • SHA512

      ee93a9bd9f77284af5fe0b4d1ef96fbb0ded00aeb045cae380bfc01be45c76d9d0a481f1d4a6f206124603b99c23a8b6054dcdc65e7e5913373b1739e1b310b1

    • SSDEEP

      6144:7aU0XFbDW0+JDzXNj8QrGchz6q7V7u85:7aU0XCJDbdnrGyT1

    Score
    1/10
    • Target

      AsyncRAT/Plugins/SendMemory.dll

    • Size

      367KB

    • MD5

      dbd937cf1098405994b1295056dce5bb

    • SHA1

      9b47cff5dc8cc6b4868a3715412b425c2b5b49cf

    • SHA256

      b0b5dda6cac5d1e91958379dc1fda602dd1566127f21e30196382743a350a4d8

    • SHA512

      2795b1249829d43f43291394fd33821caa3a0ed654c3d9a75f0cd52ac94f1e1bb3d2ab87f81333779d789112c359ddb059c8b4616c95903761b1539e54ec9d61

    • SSDEEP

      6144:QJ+x17+H67OgnfFPE0f4UKXdEvllmXOocZqOA8IhOueA1Cv6afvx:iPonRE0f4UKXdE9lmXOocZqD51CyE

    Score
    1/10
    • Target

      AsyncRAT/Stub/Stub.exe

    • Size

      38KB

    • MD5

      f76702fa423ce2b2b4b0fdcf547b0789

    • SHA1

      ea408a4419e8a3139ef14df987608964c12d3190

    • SHA256

      0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e

    • SHA512

      03c7d8814687bb4f11ac41a555f368d89d5be749c92624073b77da0e57d872df201f2657b180ad0c9d5bc9ffa0a85989bf31374c7e5deefa06cf36bce3697971

    • SSDEEP

      768:9Xaug0LrCc4d7VtOjkR26/XgNhKwEuyj67zACVyI1rXDjkY5Z07:dafSuVtOGfgTKwt3Nk7

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Target

      AsyncRAT/upload.config.exe

    • Size

      9.8MB

    • MD5

      7a1eaa75ff1d1e83f564d0e5312a0930

    • SHA1

      91988fcd3ffe2945d614f2141e0124f9ebcd6e01

    • SHA256

      de47ee6f5098830b2569a1f0f889e021a9be2604093e3e157852060d307aa9f2

    • SHA512

      b1d06ffc724e7a393387fb84900af0badf3a84bfe3ea0b2bed27d41f3114586e7b25b9661c2f23476b51b6cf9d5dcb36cf1d807c5441909b2a8315e4d40cc8c7

    • SSDEEP

      49152:Plnb9f3/00iPuJXm6Os/CTu9VnAaZ+6AmX9mQXd0ujFFoyS+km9nmgMfq9+s6ewR:NnF00iPu

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

ratasyncrat
Score
10/10

behavioral1

Score
3/10

behavioral2

asyncratdefaultdiscoveryexecutionrat
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

asyncratdiscoveryrat
Score
10/10

behavioral30

asyncratdiscoveryrat
Score
10/10

behavioral31

discoveryexecution
Score
8/10

behavioral32

asyncratdefaultdiscoveryexecutionrat
Score
10/10