asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

241231-1fmqnszqft_pw_infected.zip.zip
Size

9KB
Sample

250314-csfacsyzgz
MD5

4e765c0ec023aaec66767bf265a60211
SHA1

fefce3a7d50f2f7a862039161cec70710746bc58
SHA256

8a1bb126b4ed6851a845ee584bda3fe7d51ad367e794f0a9432613028126e8ea
SHA512

321576e7af4ce1b60c765b413d3d26fe1c17509aeafe1f657e0bb5d9706a035ecf24c792919be07d6227b19a9ab12889b49834177c87e0875c0978d94dbbe62d
SSDEEP

192:K0fl4wj/CL60fOolOxkS2PZMboVge2ibtuVoV3WH0c+:XfkxOogxmhbVge2ib8VoVmH0c+

Malware Config

Extracted

Family

xworm

Version

5.0

92.255.85.66:7000

92.255.57.221:4414

Mutex

TLnTK5toQe3huGph

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

formbook

Version

4.1

Campaign

mtpi

Decoy

prettylitthings.shop

bemellow.net

jahman.xyz

prostadineonlinestore.shop

lost-cl.club

raphic-design-degree-21165.bond

monitoring-devices-99252.bond

purrizon.life

binaryaltcoin.xyz

accesspointfile.buzz

nlpga.club

apartments-for-rent-64633.bond

hustle.family

gdplay.info

dewa212-rtp.bond

orseopdo.shop

buktimenangpolo.lol

debt-relief-73622.bond

bank-owned-cars-us-107.today

magicai.digital

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Extracted

Family

lumma

https://reloadrevol.bet/api

https://crosshairc.life/api

https://mrodularmall.top/api

https://ojowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://weaponrywo.digital/api

https://kbracketba.shop/api

https://featureccus.shop/api

https://jowinjoinery.icu/api

https://latchclan.shop/api

Extracted

Family

darkcloud

https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage?chat_id=6311012313

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o/sendMessage?chat_id=6163418482

Extracted

Family

remcos

Botnet

Yavakosa

198.23.227.212:32583

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
yavascript.exe
copy_folder
xenor
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DJTZHJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

firefox mts

91.135.156.200:8109

Attributes

audio_folder
Ìèêðîôîííûå çàïèñè
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
app.exe
copy_folder
firefox tsms
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
cfg.dat
keylog_flag
false
keylog_folder
firefox mssd
keylog_path
%AppData%
mouse_option
false
mutex
Ðìê-HQT17V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Ñêðèíøîòû
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

20.229.103.183:4000

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

20.229.103.183:5000

Mutex

4LGhzqWlUmPX

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Extracted

Family

remcos

Botnet

Brazil

196.251.69.63:2721

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-U6XQL5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

new new

135.125.189.140:1040

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
uptime.exe
copy_folder
update
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
restarting.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
ROA35Q-Y3LF93
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

remcos

Botnet

firefox tsms

91.135.156.200:8109

Attributes

audio_folder
Ìèêðîôîííûå çàïèñè
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
firefox tsm.exe
copy_folder
firefox tsm
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
temp.dat
keylog_flag
false
keylog_folder
data firewall
keylog_path
%AppData%
mouse_option
false
mutex
Ðìê-QPMRI0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Ñêðèíøîòû
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://exarthynature.run/api

https://codxefusion.top/api

Extracted

Family

gurcu

https://api.telegram.org/bot7446828960:AAEkc-o_ddrGi8YykO2bp5LRB5CeoyXbG8w/getFile?file_id=BQACAgQAAxkDAAO3Z7Y2_xvid1p9rRmvnPD3ZYYz4zgAAuIXAAJD6bBRW1a2v0fc4Jo2B

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

8^/10

discovery persistence spyware stealer
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat darkcloud formbook lumma modiloader povertystealer remcos systembc vipkeylogger xmrig xworm default firefox mts yavakosa hwu6 mtpi collection credential_access defense_evasion discovery execution keylogger miner persistence rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DarkCloud
  An information stealer written in Visual Basic.
  stealer darkcloud
- Darkcloud family
  darkcloud
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Detect Poverty Stealer Payload
- Detect Xworm Payload
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- Povertystealer family
  povertystealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Systembc family
  systembc
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Formbook payload
  rat
- ModiLoader Second Stage
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  New Text Document mod.exse
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat formbook gurcu lumma modiloader povertystealer remcos vipkeylogger xmrig xworm brazil default firefox mts firefox tsms new new yavakosa hwu6 mtpi collection credential_access defense_evasion discovery execution keylogger miner persistence privilege_escalation rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Detect Poverty Stealer Payload
- Detect Xworm Payload
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- Povertystealer family
  povertystealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Formbook payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  defense_evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Boot or Logon Autostart Execution: Authentication Package
  Suspicious Windows Authentication Registry Modification.
  persistence privilege_escalation
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3