asyncrat

General

Target

1.rar
Size

60.0MB
Sample

241229-1ca8gaxpbr
MD5

90e89a99902228321213b23f957df499
SHA1

fc5125d59e819dc71cacc17151d705ac1d5b59ac
SHA256

037f1419e6450599732d5bd564cc85d9a807fad7688789a8c5e854df947471b1
SHA512

6b35ee81b180251af99481678cc1e27d0ca40fd64d35589171efa077161980ff9e6d16e716832930ae36426fc93e9fe1f637966a08ed4540cc59ec0d9909f88a
SSDEEP

1572864:iBcdL6f0UbnoAWLzZgqxQHQQs2pemdv9FOc:dk0YVWJyQvA/dlFOc

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.6.1

Botnet

service

C2

193.57.137.78:5555

Mutex

Q8ghiNEV5vpA

Attributes

delay
3
install
true
install_file
cmd.exe
install_folder
%Temp%

aes.plain

Targets

- Target
  
  1.rar
- Size
  
  60.0MB
- MD5
  
  90e89a99902228321213b23f957df499
- SHA1
  
  fc5125d59e819dc71cacc17151d705ac1d5b59ac
- SHA256
  
  037f1419e6450599732d5bd564cc85d9a807fad7688789a8c5e854df947471b1
- SHA512
  
  6b35ee81b180251af99481678cc1e27d0ca40fd64d35589171efa077161980ff9e6d16e716832930ae36426fc93e9fe1f637966a08ed4540cc59ec0d9909f88a
- SSDEEP
  
  1572864:iBcdL6f0UbnoAWLzZgqxQHQQs2pemdv9FOc:dk0YVWJyQvA/dlFOc
Score

10^/10

asyncrat service defense_evasion discovery execution persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  0oj3.exe
- Size
  
  37.0MB
- MD5
  
  d57050cc8f1d71bb068a181301146855
- SHA1
  
  564deb2344ea43dd519ee0000642cb0ced55da83
- SHA256
  
  08058004805b7054e6dd6c55e1aebfa356cddd46167aae7de4322d4c3ae79db1
- SHA512
  
  43af8130465347d06e23838bc652a94b8d06518d81c40f32f87d78d87a485ae23b13d7585f3e05f0231b9f6f59e383b98617b268519d1c6742b7309c1da494e4
- SSDEEP
  
  786432:b/gO+cE2+qOnY9ZBLcf5jJGlbarkt0PAmyrL+rXrO37:bEcEGbLwjubcktYbO37
Score

10^/10

asyncrat service execution persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Creates new service(s)
  persistence execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  interception.dll
- Size
  
  11KB
- MD5
  
  fe8b2a022297aa36a3546391221f635a
- SHA1
  
  346e04907eb628372f459fbbf109b6cff57cac13
- SHA256
  
  ab88164c11b1b48488772d4c3bfaa4509d5b0ae9dbc5a691dc4f96f0260443c8
- SHA512
  
  fa203db607cb1154f7ac84e64b236b19ff29abab1b443609648ee3fafa53581c22420edd1f5ed2c522ab7f3c2577c73822eafbf143a8c80914a3061193b10a1c
- SSDEEP
  
  192:wBKz1mGyRWIddjlkuSCqPDKSyFVzhveZhAk3M+j4sreC:EKsGyRhdtlkuSCLS8VcZhP344
Score

1^/10
behavioral3
- Target
  
  libcrypto-3-x64.dll
- Size
  
  4.5MB
- MD5
  
  dc0b5510731cbf1cb12859b137efedfe
- SHA1
  
  4925f0c77fd32cf2f8eab916d00872d0bc9324e2
- SHA256
  
  fd92dbc1a720ef43d53a6c3536ab05ccc78b5efe768cc3624d4f7b3cf0d02132
- SHA512
  
  1adc1e36445d1125703675b7a47beaef05992a2ef5051a6513973f16dee374bf72085ffb26d502295d1c69283a56578d8bb59b432f9087102c5bb5e93a49ddb4
- SSDEEP
  
  98304:wl+kK7ppVSns2jW/aJPr4v1CPwDvt3uFGCC:ME7Xgns2jW/aJT4v1CPwDvt3uFGCC
Score

1^/10
behavioral4
- Target
  
  netlimiter-5.3.18.0.exe
- Size
  
  10.3MB
- MD5
  
  77fe4dda11353dac7bab0a5b0ff751ad
- SHA1
  
  a13bea60fa99cfc1e817b40b2b299d917e08266b
- SHA256
  
  99ce75543755df63697610e00ce334564ce4d931d726ffb57d65a8a2679298de
- SHA512
  
  82349624eb88036fd70539b2485b805242ae22f4c6c1bde3b72a8113d1cd1c47314c58d8358828e74b50a165fdae295c941d06cf7e834b704fb4251da76f71c3
- SSDEEP
  
  196608:o5gk9KH9q0poBp26sb+WCgdMKQyo4Onak2LRJMloJvgFWAIe2y13NWZ:xeKdFmYtbDkdhakFUYFWAIe1HWZ
Score

7^/10

discovery
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  onnxruntime.dll
- Size
  
  11.0MB
- MD5
  
  8c218c52a99f6c536438242dc99a8006
- SHA1
  
  d31dc3ad0a9578975b4b0ed895d27d65d9768cc0
- SHA256
  
  52f8ebe8f08f369a44fed6d1cb680c7c89169795e1c2949ee25b88b538ef0948
- SHA512
  
  5163d8d81989fd45506d540ccdba990bf4e613dc6438841cb812d7c92069aa643aff509903595dd9fdf542cb580b8937bb6fa016e9f2d463958d37fbd5b7092e
- SSDEEP
  
  49152:zmHgraNrq7OUb4XWiWfYS6r64dAyb8sXLwqLgD5W/2llE8ieFEryMYg8xgpLeqik:URswL7YW2j6nMUhxtpbL3Of2RLHWLZE
Score

1^/10
behavioral6
- Target
  
  opencv_world490.dll
- Size
  
  62.0MB
- MD5
  
  45aa348d9487722dec3b6e6fcc3a7d96
- SHA1
  
  6a1f66b321566c723fc956c0efb3cafa61bcffe8
- SHA256
  
  3fd426744146afe5c714912068bd3d0fba2c7f66d2d44c34c750bd10c55d5795
- SHA512
  
  af301f10918cc12cb50694332ccdeaa8c343ce69fb813f973f575d6c50dde90ab69ad1e211d22d5868d0532b1adf4859c56966bb4aee300110080a364100c84c
- SSDEEP
  
  393216:pQ1Q1QUmWUcVTeSv6hz07JrwANw/MteylqZQPhU+Ux6o+LBnzMwLiAU0nUNDPrK:pPhJr9rUQznpnUF+
Score

1^/10
behavioral7