asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

Rdp Cracking tool.zip
Size

12.9MB
Sample

250123-y3v98atkhm
MD5

9ed3a65009cb13d215fa1de6e4dbdb0d
SHA1

6129d957e98a0d69e3a34871c811f7f63faa050b
SHA256

68b32fe3170689eaca32c53ebddcc60f6ded63b25ff20cc550b7bdf716bc5c02
SHA512

7fe97ffa1d9a0106091b3547a984e11f552d6b8874f4cff6e79373abe08264837bd6538f4629d95261845c49745c707a22aef41ceed23b4ea667178dbe95bec6
SSDEEP

393216:w0RA7GG0bk/mG8VRRfa657IAsA9me7RzXtC:VxG0b8mGCny6tFsA/m

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6006276473:AAEypRbqeWzZbeRTuV80WT3BeM7SOhM1n1E/sendMessage?chat_id=2045667165

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Rdp Cracking tool.zip
- Size
  
  12.9MB
- MD5
  
  9ed3a65009cb13d215fa1de6e4dbdb0d
- SHA1
  
  6129d957e98a0d69e3a34871c811f7f63faa050b
- SHA256
  
  68b32fe3170689eaca32c53ebddcc60f6ded63b25ff20cc550b7bdf716bc5c02
- SHA512
  
  7fe97ffa1d9a0106091b3547a984e11f552d6b8874f4cff6e79373abe08264837bd6538f4629d95261845c49745c707a22aef41ceed23b4ea667178dbe95bec6
- SSDEEP
  
  393216:w0RA7GG0bk/mG8VRRfa657IAsA9me7RzXtC:VxG0b8mGCny6tFsA/m
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Async RAT payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/KPortScan3 @virusbug1.exe
- Size
  
  191KB
- MD5
  
  47e24bb0723a41606259b71c34b2e5e2
- SHA1
  
  dec3e4e1509d293058848d53af25b0cfba804cdd
- SHA256
  
  476c5a362a758bca9ac441b673cd0777982ea3a6ca13b4299c3ff15c780262a4
- SHA512
  
  a125b431e2add3e74eb58d3abe26063ab8d846e625c144ecee6dc1ef599b1dd783ef5757c9dfa37e446210649b6426575333b4607db523ad7bd556fc60ef7d96
- SSDEEP
  
  3072:FwYXnaz7fOTkQTwokTqLIOt6r+9dEPlUIbrMOFTfM0OZhEt3hjOrX7a0K2gY7fq2:y+naz7OTkNPTqLIOt6r+9dEPlUIbrMOE
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/Kport scan Activator.exe
- Size
  
  170KB
- MD5
  
  3c281ce62da1597fced6efd977bb0a37
- SHA1
  
  c4c337871c159743cb105daaf7ff43e2667c4b07
- SHA256
  
  e7ccef1109892156439560eb77bfa374aafed372724f646c040003fc54d1de4e
- SHA512
  
  5b41802eec1a0e4ebf0e690923375e8a0f4ec5b17a61fb67386efb9bcf3fbd03a2f88794feac4a9a89279006ee39fa1fd42de456d5332cfe9111cae2c780b220
- SSDEEP
  
  3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cbZoP6+Wp7:j8XN6W8mmHPtppXPSi9b4Q
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral5 behavioral6
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/QtCore4.dll
- Size
  
  2.4MB
- MD5
  
  438717377b9df0f53f283c9e4aa722cc
- SHA1
  
  c413917dfcb816799613c6f86b55952c887ff711
- SHA256
  
  a679cf46e128d028de22fb9ed8432e5107e53f8e7e6fb7f5e169b3eeab8f000a
- SHA512
  
  03c10588ec47bce9b6c40fedffcaa775b84bb691450789000c17e7df02554036ee336d382524b35bfa67dbc4ae4b95d3d1807d61f46016427856f60850383f3f
- SSDEEP
  
  49152:vfGCzRdEZK8hyX2ntJsv6tWKFdu9CeTxLyvL/6mShMZtmjNUVrciV5P+7QVg07Tl:vf8KF2tJsv6tWKFdu9CIK
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/QtGui4.dll
- Size
  
  8.0MB
- MD5
  
  37957facc9afbdfbd119c8372c9cf0e3
- SHA1
  
  1f5584ae75e947ffcbe00dc17bc423bf3f906ad0
- SHA256
  
  bf52fec00b4f640d07bea3850096cc77983fca518bbec8122997b7ca561205f1
- SHA512
  
  24ef6418f904b646d31912e0f350a0eb10147015bbd4b3710aba62c5a1da5d001600d9a381beb8d871d30cc0b07cf2fdb034f81f60810d8c14899cacdf68ad4d
- SSDEEP
  
  98304:ixT4yTZMEMrIJCZxMvwQoVgN1617/PO1IQlS4Xsmw2zZQvkfsnXWP:ixbZxDJ9vv7617VQlSesn
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/QtNetwork4.dll
- Size
  
  982KB
- MD5
  
  5c6afae60414546cef0a9b759da93912
- SHA1
  
  928aba35960a17b9ee3a3e2f2f890b8aa6842e6b
- SHA256
  
  99757ec661fd7de3b22fb641f25cf1565aae13daf8d31c6686c6c7cbd2be6fc9
- SHA512
  
  bbd7aae541c5677317f68472c4be008164909f6395c43e554c4b070fb398ec680f496505644de0a706f831bc850e770c60c699d5aa0d5a7e0e19c5fc48e5c727
- SSDEEP
  
  12288:BQ4LHoNwBkUx/0RpieLY+EZ8R2/hGT/YOt2ck/qTpQ39NM7LMi7nR4djiz0R6H2j:zr/k60RpizZ83/T6CTeNuMwR4djip8L
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/results.txt
- Size
  
  146KB
- MD5
  
  dba50fb6fbd43c99acc7c7c11565b636
- SHA1
  
  2134d7077d3edcc88855c638402fd9f92a22467a
- SHA256
  
  467943d6e9ac793d35c33f9a9e73a3c197a3b0b5c411580cfbc3e77c27ecaef0
- SHA512
  
  bcbb863dc80e9cb55a7a4ae45203003e6444df5fc7dbb142834c79a2cc9bde477d844f48f63e408962da13ea860740f4e39f189560b85d206514b96bdf5504a8
- SSDEEP
  
  1536:EP6HTWZDmzYrYtGdspQ3v5UgZjP6T4qFkAiw:kYTODmEkp4TGfiw
Score

1^/10
behavioral13 behavioral14
- Target
  
  Rdp Cracking tool @ virusbug1/KPortScan 3.0 @virusbug1/results.txt.terabox.uploading.cfg
- Size
  
  1KB
- MD5
  
  95e2850e3f9a36f6084b50834be0532b
- SHA1
  
  232dbc78bd7111f24512ebfde16be80cc6a53c94
- SHA256
  
  0ad9fffbdc9a07e5fb68f01675ee7f59949d544ffb26a1cfedfebc9ba82bb1e1
- SHA512
  
  d794a1446af692d1de827965729dd2bc9b321bfe6b8e6fa565df93af936a9220d8220e8fb3bd32c82705189c0603a6fcddeeb09671d4e6cfcc5ab882b1a4d251
Score

1^/10
behavioral15 behavioral16
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/@virusbug1.jpg
- Size
  
  52KB
- MD5
  
  5afc04f9cba4f9e8b19c3ae3a0358d4a
- SHA1
  
  24c18eb11e1eb9c3eb96081e0d6bdfa4c111b9ac
- SHA256
  
  06120964f26b03a500ce0ee0ec52ab34dac0a311366ba92c0080b162bc4a56b7
- SHA512
  
  9763d6c2630132f73fe07c9b8e417d9057693f82b55b00cbb2584de5190ab38bf45da21f626e3b0a2a8edbc7c014e1e16c4a56f70566b731c14dc0556ed79cd2
- SSDEEP
  
  1536:dShzs+hqtNy4icFNXBnoydTAv5X2RLsMLyJRX:gwVNXBRTAvnf
Score

1^/10
behavioral17 behavioral18
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/@virusbug1.jpg
- Size
  
  52KB
- MD5
  
  5afc04f9cba4f9e8b19c3ae3a0358d4a
- SHA1
  
  24c18eb11e1eb9c3eb96081e0d6bdfa4c111b9ac
- SHA256
  
  06120964f26b03a500ce0ee0ec52ab34dac0a311366ba92c0080b162bc4a56b7
- SHA512
  
  9763d6c2630132f73fe07c9b8e417d9057693f82b55b00cbb2584de5190ab38bf45da21f626e3b0a2a8edbc7c014e1e16c4a56f70566b731c14dc0556ed79cd2
- SSDEEP
  
  1536:dShzs+hqtNy4icFNXBnoydTAv5X2RLsMLyJRX:gwVNXBRTAvnf
Score

1^/10
behavioral19 behavioral20
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/NL Brute 1.2 @virusbug1.exe
- Size
  
  7.8MB
- MD5
  
  025c1c35c3198e6e3497d5dbf97ae81f
- SHA1
  
  6d390038003c298c7ab8f2cbe35a50b07e096554
- SHA256
  
  ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4
- SHA512
  
  1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50
- SSDEEP
  
  196608:x0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdf:08YwFV/dIa8wp2j09qXAyYDHMDYrsd
Score

9^/10

defense_evasion discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/NL Brute Activator.exe
- Size
  
  170KB
- MD5
  
  3c281ce62da1597fced6efd977bb0a37
- SHA1
  
  c4c337871c159743cb105daaf7ff43e2667c4b07
- SHA256
  
  e7ccef1109892156439560eb77bfa374aafed372724f646c040003fc54d1de4e
- SHA512
  
  5b41802eec1a0e4ebf0e690923375e8a0f4ec5b17a61fb67386efb9bcf3fbd03a2f88794feac4a9a89279006ee39fa1fd42de456d5332cfe9111cae2c780b220
- SSDEEP
  
  3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cbZoP6+Wp7:j8XN6W8mmHPtppXPSi9b4Q
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral23 behavioral24
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/Read Me.txt
- Size
  
  145B
- MD5
  
  4622360ab0cce227c16792451544edfb
- SHA1
  
  995ec954936aac9c95a61f0138db956d5f7bfaea
- SHA256
  
  f8db68b4c5620663e9b597305fd2eec83d4fa98210f7a5c615a5b7c3ab41087c
- SHA512
  
  0934cdd3dae339bea7d0f1a1ba0aff097db349cd8bb1c58e6545210a0fcebd02b8a2673636ee4b67bead7ccc4584456be9cd69d01a225c157ac7ee1868a7dbfe
Score

1^/10
behavioral25 behavioral26
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/credentials.txt
- Size
  
  318B
- MD5
  
  3adbd921e9f04dff98cfe37a59802729
- SHA1
  
  7fcb19ec411e684d61b237b04f63cf4400da59bf
- SHA256
  
  34f834b6e2290aa08577cc3931dd337dabe6f68c1592cba317d95e26fc3c5ab4
- SHA512
  
  524b597d8f455dd14c0912d26d21ddccb0e248cfb6c442e53a974154fe0aca81ebe061cc9afa5c943e5ac9236ac9b99d2943de3736e009a4d9ecab10328d97e9
Score

1^/10
behavioral27 behavioral28
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/good.txt
- Size
  
  862B
- MD5
  
  5ac9f58d4c651796d0c6ef3a4c5fc444
- SHA1
  
  25a14d483702a8f35ac5173599aa4196376d0072
- SHA256
  
  251432c26eccd8262b79c7897ef1f10214b3989f97f0c88bc2a8476f84ffd4c1
- SHA512
  
  0d015105e1132985a9fd404e172f8284d9e8cb6831d4a872d516efe6fc948c66c98d595f1f9b984299fd24a1cb85161ed14da64eed0fae60a87b557590c7eecf
Score

1^/10
behavioral29 behavioral30
- Target
  
  Rdp Cracking tool @ virusbug1/NL Brute @virusbug1/NL Brute @virusbug1/servers.txt
- Size
  
  193KB
- MD5
  
  be237f2fddbb53a7c47f13e23400b78a
- SHA1
  
  d6205e4e0015fb0005d65100e95f22aecaca2037
- SHA256
  
  413204591aed800e215469c3e9964ce7e2390e1c2f6c7c9dcf3c5266f40e7288
- SHA512
  
  f8bcaf15660546e0603c44bc8ead1f5a94e19748fc914114103fbe6738efc124a2859aafaf0296f637311e1444e9f39cd96c8c00902fee7a57adcdc477c22db0
- SSDEEP
  
  768:lf9PH/KyHA5bd4Si60y/JpiNJNXch0Jrn1bKbXPnEBLGNDYJh6TCxZbGqD4xCIlt:lfzA5qSUy0u21UvjYJh6Tast
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Async RAT payload

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

AsyncRat

Asyncrat family

StormKitty

StormKitty payload

Stormkitty family

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32