asyncrat | f591fe6f737e9471d3bc36ae93eecf79ca1971373d477ad4a03ae99c594260d0 | Triage

Sharing

General

Target

MarsStealer_Menu.exe
Size

726KB
Sample

250129-xh539avqaj
MD5

b684bbb20156d428262380660c83b5df
SHA1

684d7b8100a20601a61805d7bb5c30944cde040a
SHA256

f591fe6f737e9471d3bc36ae93eecf79ca1971373d477ad4a03ae99c594260d0
SHA512

fa09c57f3876a1da9575b953672387a2010aae3ae28b779d68a2901fd89d3a6a21af0562b57cf1b5ef3a74ffef8e36c52d43727e4703762da81d7679bf2de02e
SSDEEP

12288:hQXqRba8sXrA1gqWVOmw0dKcaJzkVCp4Lkuc+tSV1pH16oG8HCdIfe+:hQXqsi1OOYdKcoA5kp+S/1JGvdIfl

Score

10^/10

asyncrat default discovery persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Default

C2

Nightmare15.strangled.net:6606

Nightmare15.strangled.net:7707

Nightmare15.strangled.net:8808

lastofdr51.mywire.org:6606

lastofdr51.mywire.org:7707

lastofdr51.mywire.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
System.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  MarsStealer_Menu.exe
- Size
  
  726KB
- MD5
  
  b684bbb20156d428262380660c83b5df
- SHA1
  
  684d7b8100a20601a61805d7bb5c30944cde040a
- SHA256
  
  f591fe6f737e9471d3bc36ae93eecf79ca1971373d477ad4a03ae99c594260d0
- SHA512
  
  fa09c57f3876a1da9575b953672387a2010aae3ae28b779d68a2901fd89d3a6a21af0562b57cf1b5ef3a74ffef8e36c52d43727e4703762da81d7679bf2de02e
- SSDEEP
  
  12288:hQXqRba8sXrA1gqWVOmw0dKcaJzkVCp4Lkuc+tSV1pH16oG8HCdIfe+:hQXqsi1OOYdKcoA5kp+S/1JGvdIfl
Score

10^/10

asyncrat default discovery persistence rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdiscoverypersistenceratspywarestealer