asyncrat | 5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847 | Triage

Sharing

General

Target

JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
Size

7.7MB
Sample

241223-vnl68avrd1
MD5

aa2034838226e4fa458cb479330d3df1
SHA1

5d17be875fcb82a808c5314c20a27f221b787c48
SHA256

5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
SHA512

01d80e3c1e65881882ca47c7967eb78613aa50de1cb0869545206410d1edab6b15de389f2f4372a3351395692e792a5c7c6cc002db1ce0f12d49da905c998946
SSDEEP

24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vk:Y

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/Download?cid=8BDBA39CCF6B0487&resid=8BDBA39CCF6B0487%21115&authkey=AKzKYXDKF87dXao

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

antivirus-ssl.myiphost.com:195

Mutex

AsyncMutex_6SI8OkLrx

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
- Size
  
  7.7MB
- MD5
  
  aa2034838226e4fa458cb479330d3df1
- SHA1
  
  5d17be875fcb82a808c5314c20a27f221b787c48
- SHA256
  
  5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
- SHA512
  
  01d80e3c1e65881882ca47c7967eb78613aa50de1cb0869545206410d1edab6b15de389f2f4372a3351395692e792a5c7c6cc002db1ce0f12d49da905c998946
- SSDEEP
  
  24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vk:Y
Score

10^/10

evasion execution trojan asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutiontrojan

behavioral2

asyncratdefaultdiscoveryevasionexecutionrattrojan