General

  • Target

    AsyncClient.exe

  • Size

    66KB

  • Sample

    241224-fadwcs1rcl

  • MD5

    0d5d8c954621f666b580a5c0e770032e

  • SHA1

    952cf4bb78d4a5df4823a5217486eaabb17c2199

  • SHA256

    b98e499a937b7ad744df2a7f9ce9887db36df4251e4e8031648537011938984e

  • SHA512

    f652ea69b985dcedf1fa8f6b14b5320cdd50a52596a1ceba0a5cdecd800935bfb77af5d339234a11a71da3a7af98af988e9e0faa10d54c2d50bee806e9702b66

  • SSDEEP

    1536:LZUfkt6QkYo9KuvUYFY5+r+l0RbVsjGoBwrmTG5x:LZokt6QkpKuvUYFY5ulbVENaE6x

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

Default

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    systemupdatemanager.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/sG1KxVNw

aes.plain

Targets

    • Target

      AsyncClient.exe

    • Size

      66KB

    • MD5

      0d5d8c954621f666b580a5c0e770032e

    • SHA1

      952cf4bb78d4a5df4823a5217486eaabb17c2199

    • SHA256

      b98e499a937b7ad744df2a7f9ce9887db36df4251e4e8031648537011938984e

    • SHA512

      f652ea69b985dcedf1fa8f6b14b5320cdd50a52596a1ceba0a5cdecd800935bfb77af5d339234a11a71da3a7af98af988e9e0faa10d54c2d50bee806e9702b66

    • SSDEEP

      1536:LZUfkt6QkYo9KuvUYFY5+r+l0RbVsjGoBwrmTG5x:LZokt6QkpKuvUYFY5ulbVENaE6x

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Async RAT payload

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks