asyncrat

General

Target

services.png.exe
Size

264KB
Sample

250131-l3g2davkgq
MD5

d397a1de162f332782fe3205a07792dd
SHA1

44793b3a374c3cb453bbd87a2fd28d8a4c408002
SHA256

ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
SHA512

6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659
SSDEEP

6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendDocument?chat_id=107548395

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=109642586

Targets

- Target
  
  services.png.exe
- Size
  
  264KB
- MD5
  
  d397a1de162f332782fe3205a07792dd
- SHA1
  
  44793b3a374c3cb453bbd87a2fd28d8a4c408002
- SHA256
  
  ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
- SHA512
  
  6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659
- SSDEEP
  
  6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D
Score

10^/10

defense_evasion discovery persistence privilege_escalation asyncrat gurcu stormkitty default execution rat spyware stealer upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2