asyncrat | c5e40b00c093c4f1e3f34ea04ac9bc8cd233670447ef54f6c59362a9927a358c | Triage

Sharing

General

Target

X7EIN_loader_prod.exe
Size

22.1MB
Sample

250303-zelasaykv8
MD5

b305aa477ab7a5f2304aa747b0f52111
SHA1

e5f5987f1ee86bca5ef6e316c51b6a6c20c03788
SHA256

c5e40b00c093c4f1e3f34ea04ac9bc8cd233670447ef54f6c59362a9927a358c
SHA512

5bb7fa6edd3e66fb6b7b0ecf58819c1e0f53512a998f612bce864c32cb63cfca1c16e7208b8fa6c4ed0b5d79de65116db4ab07690f8ae73ec14345b2c97cb5b8
SSDEEP

393216:oCs9AonSMquOyVEffa4SNCs6V54ZGNlhxRDe2QGlHeJtIwt:F0AonSMIHn3SQs6v1NpRDeUUp

Score

10^/10

asyncrat venomrat eulen defense_evasion discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Eulen

Mutex

Microsoft_Sync_Manager

Attributes

delay
1
install
true
install_file
DiscordHelper.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/KnhCGRrn

aes.plain

Targets

- Target
  
  X7EIN_loader_prod.exe
- Size
  
  22.1MB
- MD5
  
  b305aa477ab7a5f2304aa747b0f52111
- SHA1
  
  e5f5987f1ee86bca5ef6e316c51b6a6c20c03788
- SHA256
  
  c5e40b00c093c4f1e3f34ea04ac9bc8cd233670447ef54f6c59362a9927a358c
- SHA512
  
  5bb7fa6edd3e66fb6b7b0ecf58819c1e0f53512a998f612bce864c32cb63cfca1c16e7208b8fa6c4ed0b5d79de65116db4ab07690f8ae73ec14345b2c97cb5b8
- SSDEEP
  
  393216:oCs9AonSMquOyVEffa4SNCs6V54ZGNlhxRDe2QGlHeJtIwt:F0AonSMIHn3SQs6v1NpRDeUUp
Score

10^/10

asyncrat venomrat eulen defense_evasion discovery evasion execution rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Disables service(s)
  defense_evasion execution
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- VenomRAT
  Detects VenomRAT.
  rat
- Venomrat family
  venomrat
- Async RAT payload
  rat
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

asyncratvenomrateulendefense_evasiondiscoveryevasionexecutionratspywarestealertrojan