asyncrat | 1fa723612815adefbb73d373505eb0e77074b99daa72e3bdd00493f8468100bb | Triage

Sharing

General

Target

JaffaCakes118_23c6f72ac16439f390678e968ac5167c
Size

885KB
Sample

250106-pql2cawpdt
MD5

23c6f72ac16439f390678e968ac5167c
SHA1

80f6b5e2745ed825c91f6f621d8e3938dda1ed21
SHA256

1fa723612815adefbb73d373505eb0e77074b99daa72e3bdd00493f8468100bb
SHA512

80156d8db04299c779744c89997a6e10d582c93ecdf851a0aad9d55d056e3dc70eaad9a20d88303444abe99da9a792c9bb179cea96c9f426f9f57d7a71422af1
SSDEEP

24576:sc7SuydrlH5xAphuo2QJyOuY0h/8MuXx8is:szu+ZH5Wpt2QJyTn8jXmp

Score

10^/10

asyncrat default defense_evasion discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

74.201.28.237:6606

74.201.28.237:7707

74.201.28.237:8808

Mutex

WmiPrvSE_6SI8OkDnk

Attributes

delay
3
install
false
install_file
WmiPrvSE.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  JaffaCakes118_23c6f72ac16439f390678e968ac5167c
- Size
  
  885KB
- MD5
  
  23c6f72ac16439f390678e968ac5167c
- SHA1
  
  80f6b5e2745ed825c91f6f621d8e3938dda1ed21
- SHA256
  
  1fa723612815adefbb73d373505eb0e77074b99daa72e3bdd00493f8468100bb
- SHA512
  
  80156d8db04299c779744c89997a6e10d582c93ecdf851a0aad9d55d056e3dc70eaad9a20d88303444abe99da9a792c9bb179cea96c9f426f9f57d7a71422af1
- SSDEEP
  
  24576:sc7SuydrlH5xAphuo2QJyOuY0h/8MuXx8is:szu+ZH5Wpt2QJyTn8jXmp
Score

10^/10

asyncrat default defense_evasion discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Modifies WinLogon for persistence
  persistence
- System Binary Proxy Execution: InstallUtil
  Abuse InstallUtil to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

System Binary Proxy Execution

InstallUtil

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdefense_evasiondiscoverypersistencerat

behavioral2

asyncratdefaultdefense_evasiondiscoverypersistencerat