asyncrat | c2f0e9bc6250ec69641cb2531d1a7d4cafcb35cf6806051d95b5c65fdd9cd9a1 | Triage

Sharing

General

Target

JaffaCakes118_11a217ba00b5b7debc4e3afebcbd9320
Size

13.1MB
Sample

250106-gd8qksznhm
MD5

11a217ba00b5b7debc4e3afebcbd9320
SHA1

f5e713e1fe39731c1c8981d6c17071fe5632ebc5
SHA256

c2f0e9bc6250ec69641cb2531d1a7d4cafcb35cf6806051d95b5c65fdd9cd9a1
SHA512

5b4a83c2b11c7cc7dad01a877cbfbd55328b808867c2bd6bf83bddcb9188d82f82c2ec5aaa6dfde0a60f5104c5876b3d9829cb5a3ec26665bda1bfec5d91b5c7
SSDEEP

196608:bZS+hQW1n/RNrlHAjoG+IGCsXDjDyfh9qVv4DFd4ff7ROZkJIGnMFFnblHgdRcwR:9hQgZxlHOFGCEDs9/DX4gZkGnZHk

Score

10^/10

asyncrat windows security discovery persistence pyinstaller rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.6

Botnet

Windows Security

C2

91.193.75.169:4782

Mutex

DcRatMutex_qwqdanchuk

Attributes

delay
1
install
true
install_file
Windows Security.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  JaffaCakes118_11a217ba00b5b7debc4e3afebcbd9320
- Size
  
  13.1MB
- MD5
  
  11a217ba00b5b7debc4e3afebcbd9320
- SHA1
  
  f5e713e1fe39731c1c8981d6c17071fe5632ebc5
- SHA256
  
  c2f0e9bc6250ec69641cb2531d1a7d4cafcb35cf6806051d95b5c65fdd9cd9a1
- SHA512
  
  5b4a83c2b11c7cc7dad01a877cbfbd55328b808867c2bd6bf83bddcb9188d82f82c2ec5aaa6dfde0a60f5104c5876b3d9829cb5a3ec26665bda1bfec5d91b5c7
- SSDEEP
  
  196608:bZS+hQW1n/RNrlHAjoG+IGCsXDjDyfh9qVv4DFd4ff7ROZkJIGnMFFnblHgdRcwR:9hQgZxlHOFGCEDs9/DX4gZkGnZHk
Score

10^/10

asyncrat windows security discovery persistence pyinstaller rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratwindows securitydiscoverypersistencepyinstallerrat

behavioral2

asyncratwindows securitydiscoverypersistencepyinstallerrat