General
-
Target
AsyncClient.exe
-
Size
66KB
-
Sample
241224-fadwcs1rcl
-
MD5
0d5d8c954621f666b580a5c0e770032e
-
SHA1
952cf4bb78d4a5df4823a5217486eaabb17c2199
-
SHA256
b98e499a937b7ad744df2a7f9ce9887db36df4251e4e8031648537011938984e
-
SHA512
f652ea69b985dcedf1fa8f6b14b5320cdd50a52596a1ceba0a5cdecd800935bfb77af5d339234a11a71da3a7af98af988e9e0faa10d54c2d50bee806e9702b66
-
SSDEEP
1536:LZUfkt6QkYo9KuvUYFY5+r+l0RbVsjGoBwrmTG5x:LZokt6QkpKuvUYFY5ulbVENaE6x
Malware Config
Extracted
asyncrat
| Edit by Vinom Rat
Default
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
systemupdatemanager.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/sG1KxVNw
Targets
-
-
Target
AsyncClient.exe
-
Size
66KB
-
MD5
0d5d8c954621f666b580a5c0e770032e
-
SHA1
952cf4bb78d4a5df4823a5217486eaabb17c2199
-
SHA256
b98e499a937b7ad744df2a7f9ce9887db36df4251e4e8031648537011938984e
-
SHA512
f652ea69b985dcedf1fa8f6b14b5320cdd50a52596a1ceba0a5cdecd800935bfb77af5d339234a11a71da3a7af98af988e9e0faa10d54c2d50bee806e9702b66
-
SSDEEP
1536:LZUfkt6QkYo9KuvUYFY5+r+l0RbVsjGoBwrmTG5x:LZokt6QkpKuvUYFY5ulbVENaE6x
-
Asyncrat family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Async RAT payload
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1