asyncrat

Target

Downloaders.zip
Size

12KB
Sample

250213-fnkwtstpgw
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

redline

Botnet

wind

194.190.152.223:40355

Attributes

auth_value
8834064a70f1a34ac1e47c2315ab253e

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed by Here

21.ip.gl.ply.gg:56106

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

159.100.19.137:7707

Mutex

yBu0GW2G5zAc

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Downloaders.zip
- Size
  
  12KB
- MD5
  
  94fe78dc42e3403d06477f995770733c
- SHA1
  
  ea6ba4a14bab2a976d62ea7ddd4940ec90560586
- SHA256
  
  16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
- SHA512
  
  add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
- SSDEEP
  
  384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score

10^/10

asyncrat azorult njrat redline sectoprat stormkitty vidar cheat default hacked by here wind adware bootkit credential_access cryptone defense_evasion discovery infostealer packer persistence privilege_escalation rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Detect Vidar Stealer
  stealer
- Njrat family
  njrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1