asyncrat | 79d97c2eba527a05d8cda6cec044210589b077f52e421753680d60c43307cf2c | Triage

Sharing

General

Target

79d97c2eba527a05d8cda6cec044210589b077f52e421753680d60c43307cf2c.vbs
Size

78KB
Sample

250226-d97avawnx4
MD5

7d6d78a570ec3a06ed4951b100bae952
SHA1

2e10134fc256a1bfe57862f69c83fc7f93949897
SHA256

79d97c2eba527a05d8cda6cec044210589b077f52e421753680d60c43307cf2c
SHA512

4508aff8dac72984d66f3eb5ef4eac52f120428a9fa9c0e278fa6f0284aa3a1b88dc88842732855e508ecbfa5ef437a21f01a65b992031f62c892123414377b9
SSDEEP

1536:+GZt0fSE6gUXAXbAiCsj9O4THNXQ4evC65EmJx7gjGSq2FjqGJDvHA/goVP8nJ:+xbv44DNXQxvC66oxiq9+Dvyg2P8nJ

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

billionairewealthz.duckdns.org:3880

billionairewealthz.duckdns.org:3890

billionairebankz.duckdns.org:3880

billionairebankz.duckdns.org:3890

tricodersbankz.freemyip.com:3880

tricodersbankz.freemyip.com:3890

Mutex

Btu9FjkpB23b

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  79d97c2eba527a05d8cda6cec044210589b077f52e421753680d60c43307cf2c.vbs
- Size
  
  78KB
- MD5
  
  7d6d78a570ec3a06ed4951b100bae952
- SHA1
  
  2e10134fc256a1bfe57862f69c83fc7f93949897
- SHA256
  
  79d97c2eba527a05d8cda6cec044210589b077f52e421753680d60c43307cf2c
- SHA512
  
  4508aff8dac72984d66f3eb5ef4eac52f120428a9fa9c0e278fa6f0284aa3a1b88dc88842732855e508ecbfa5ef437a21f01a65b992031f62c892123414377b9
- SSDEEP
  
  1536:+GZt0fSE6gUXAXbAiCsj9O4THNXQ4evC65EmJx7gjGSq2FjqGJDvHA/goVP8nJ:+xbv44DNXQxvC66oxiq9+Dvyg2P8nJ
Score

10^/10

discovery execution asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

asyncratdefaultdiscoveryexecutionrat