asyncrat | 3a9c46eccca422e6a7c8b7bebda9a7314c280742a53b63961f181530c56c233c | Triage

Sharing

General

Target

JaffaCakes118_1507596fa6526bb29b7add253a4422cf
Size

365KB
Sample

250106-hsh9xasjdq
MD5

1507596fa6526bb29b7add253a4422cf
SHA1

31c75cf7479e8410ce7234a1064abd04b8010809
SHA256

3a9c46eccca422e6a7c8b7bebda9a7314c280742a53b63961f181530c56c233c
SHA512

f691bc462de60228aa00ea39aa3217783f8d656383ae9271d7a937f509fdfaab14436b934e054d46166278364ca7c6b6856338f6f3a42e1d24daa4b059c58cd1
SSDEEP

6144:beQ8CfYK6Uqd2GhNPwT2NE6UVKbM0I28VHbWpXqX1vST01:beQjY3Ui2iNYTQE6UYbMRZbv0y

Score

10^/10

asyncrat default discovery evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

194.5.97.229:1195

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  JaffaCakes118_1507596fa6526bb29b7add253a4422cf
- Size
  
  365KB
- MD5
  
  1507596fa6526bb29b7add253a4422cf
- SHA1
  
  31c75cf7479e8410ce7234a1064abd04b8010809
- SHA256
  
  3a9c46eccca422e6a7c8b7bebda9a7314c280742a53b63961f181530c56c233c
- SHA512
  
  f691bc462de60228aa00ea39aa3217783f8d656383ae9271d7a937f509fdfaab14436b934e054d46166278364ca7c6b6856338f6f3a42e1d24daa4b059c58cd1
- SSDEEP
  
  6144:beQ8CfYK6Uqd2GhNPwT2NE6UVKbM0I28VHbWpXqX1vST01:beQjY3Ui2iNYTQE6UYbMRZbv0y
Score

10^/10

asyncrat default discovery evasion execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoveryevasionexecutionrat

behavioral2

asyncratdefaultdiscoveryevasionexecutionrat