asyncrat | a1ab0b66e66d84c8687298d71c66e347ac8b22d8ba7b7aedec7867c54ed8a14e | Triage

Sharing

General

Target

Fixer (1).exe
Size

63KB
Sample

241231-eed69asqeq
MD5

1b13586a90a4197f78ae7fbbb62cd2c3
SHA1

b6c29b130e1c3d442e7850de3c5303284685c610
SHA256

a1ab0b66e66d84c8687298d71c66e347ac8b22d8ba7b7aedec7867c54ed8a14e
SHA512

97002dfd7f4a4b14e489f952f2802b04a1bf2938fb3870bf89dd2998fa56e4531717d117bf872e8d1f601bd6edeac59a73ee262fa3923ba1db8b5ff1541eccb9
SSDEEP

768:RdGnVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oXpC4AdvCSuAdP:mnSdsNdSJYUbdh9ps1uAdpqKmY7

Score

10^/10

asyncrat default credential_access discovery ransomware rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

associated-chevy.gl.at.ply.gg:46398

Attributes

delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Fixer (1).exe
- Size
  
  63KB
- MD5
  
  1b13586a90a4197f78ae7fbbb62cd2c3
- SHA1
  
  b6c29b130e1c3d442e7850de3c5303284685c610
- SHA256
  
  a1ab0b66e66d84c8687298d71c66e347ac8b22d8ba7b7aedec7867c54ed8a14e
- SHA512
  
  97002dfd7f4a4b14e489f952f2802b04a1bf2938fb3870bf89dd2998fa56e4531717d117bf872e8d1f601bd6edeac59a73ee262fa3923ba1db8b5ff1541eccb9
- SSDEEP
  
  768:RdGnVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oXpC4AdvCSuAdP:mnSdsNdSJYUbdh9ps1uAdpqKmY7
Score

10^/10

asyncrat default rat credential_access discovery ransomware spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Renames multiple (3322) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

ratdefaultasyncrat

behavioral1

asyncratdefaultrat

behavioral2

asyncratdefaultcredential_accessdiscoveryransomwareratspywarestealer

behavioral3

asyncratdefaultrat