asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_56.zip
Size

133.7MB
Sample

250322-g2fppstks9
MD5

d57c7b6d56a558cbe5e038f4999e5fdb
SHA1

51157454b68ba1503eff584cdc067e6dd2e00cd2
SHA256

5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1
SHA512

ad2b56550e52aff074cb4882713d7af99304a890dba6485ead3516aa1855882626663a0dd7fdccbaa884c34474d4168369026eb25260cc587df17971badbe618
SSDEEP

3145728:bQDaXuNsQGRZkOReuKHXZZwAIFEZPRj3L/L2sUzGHQ3WHM/XYhQ:gaeNIrkOgXdJRXRUzGHQGHsXSQ

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

size-ingredients.gl.at.ply.gg:5407

Mutex

a1cb840a8f8b330a9629751db128f43f

Attributes

reg_key
a1cb840a8f8b330a9629751db128f43f
splitter
Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

xwtmpZSwsYCz

Attributes

delay
3
install
true
install_file
Image.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:14131

Mutex

60a27120913d09dacf55889f507e54c2

Attributes

reg_key
60a27120913d09dacf55889f507e54c2
splitter
|'|'|

Extracted

Family

xworm

floor-steam.gl.at.ply.gg:58684

Attributes

Install_directory
%AppData%
install_file
scvhost.exe

Extracted

Family

xworm

Version

5.0

92.255.85.2:4372

Mutex

bFh8cGGVyBJ2hXxI

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  e1dcb9ba72b5d530a7025537eed091187313975f51f1a4756d379129a1eaa629.exe
- Size
  
  1.8MB
- MD5
  
  9e573a2ffc7e82c398e836aeca657685
- SHA1
  
  9d058fc9ce31f7e7cdf67a5d874c624844bbd263
- SHA256
  
  e1dcb9ba72b5d530a7025537eed091187313975f51f1a4756d379129a1eaa629
- SHA512
  
  9975a8ccc2240d6113704f6f88fe36fd7c1cbafe2f973489fece70259d161b3c752da9a9338aa47ae331eced7151813789e4a7647995c07a5270e7526d35158e
- SSDEEP
  
  24576:ZSkAQsxIxncfKtAXPqqXHZGPaHBZ23QhGDJjqE/z5ZIXOdHQvy3ge/ZX9uWfm2YU:8RKxcCmfV7Z23zZZ4vy3P/ZXfizZXyT
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
- Size
  
  1.9MB
- MD5
  
  8b90b02faca36074af1577d7195ee6a6
- SHA1
  
  58a84f82276f92154be4271244a6bc0d1837c33f
- SHA256
  
  e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c
- SHA512
  
  2a38045191bfb8b2bdce869181ea1d4bd8745dbd87e6ea062ecbe4e9b04ab5aac96a8428790fde989b26c41137b830c7b76efddd4361c60cee2c9203d31ad8f1
- SSDEEP
  
  24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral3 behavioral4
- Target
  
  e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
- Size
  
  288KB
- MD5
  
  040b6bc9b0e6555c619b0b6ac5c100c6
- SHA1
  
  29658672a828a82cfb57f13332799e5c14af8ae4
- SHA256
  
  e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4
- SHA512
  
  e0dcee7db91991c26e9c0405435d59da2980b883a36ed4c6a38792f6af7d156979368e0a9be9ada036f8f3f537cc770b5174e27b361ea1839877f908f806b5b0
- SSDEEP
  
  6144:KCqhNgYNRrD/tlWnuxWxVODw2v4ryAADzcL51rhAHA:KNhNgarD/tlWniqONx/6foA
Score

8^/10

discovery
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral5 behavioral6
- Target
  
  e277271cc70bc12cb5a62950728025e8.exe
- Size
  
  5.9MB
- MD5
  
  e277271cc70bc12cb5a62950728025e8
- SHA1
  
  f49e565e7e17473bf473727846744436622083eb
- SHA256
  
  cabbb23bfd4c9f0ee454f1c072f963b938281c38dc7d14cfe62629e23f96dfda
- SHA512
  
  dcc1aff642ab495007d83906e3316cde8c0f36c1a902abf2c6bcd9991b1ee7fbecc3bb4e281ffc2f25d1e6c5531179deba529d177b757ab89e9a9872e2712feb
- SSDEEP
  
  98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw47:RyeU11Rvqmu8TWKnF6N/1wi
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  e282def0d26b0a0ace50c80bd0d3e389.exe
- Size
  
  1.1MB
- MD5
  
  e282def0d26b0a0ace50c80bd0d3e389
- SHA1
  
  aad1e263222141dab481347dc60f033ffc3e86cb
- SHA256
  
  e8fa1ef4d468a51c9aabb390609c63f549b8693592d23160d5459817d3fefe88
- SHA512
  
  8966a24026b973dfa147d697ef7d659ff3f1b8ec11ea3971593667cd637655edaad4370683069ea2ecea21c1b0863ef79cf46effb8736328c3db010b25299b33
- SSDEEP
  
  12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  e29645b97716a1a1d083e644500c71a7e2a3c20f8c6812785f6242461eccfe39.exe
- Size
  
  10.3MB
- MD5
  
  6447a2bb53cd6db8b2fcb0f6d1f5c34b
- SHA1
  
  024c9b68dffec0659cc301ac7123da414078504b
- SHA256
  
  e29645b97716a1a1d083e644500c71a7e2a3c20f8c6812785f6242461eccfe39
- SHA512
  
  87bfc9fdaca50d6dc96a161cc46731bb2d311b0836e39114d5386c938e8022a3ae0fdca275e5cd91f0add24acf01f8da54e97b69e9cd00c01764d0911611a424
- SSDEEP
  
  12288:/k3ZvH5K4AJROAltaCrueXY2Rto7m5XG5agF9iM:KtS5MFg
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral11 behavioral12
- Target
  
  e2bfb9c5dab6674c2bd9eec1f66e4f0c.exe
- Size
  
  83KB
- MD5
  
  e2bfb9c5dab6674c2bd9eec1f66e4f0c
- SHA1
  
  1ded7a38ee2a1401ba39a7b2641aa53cb1c85355
- SHA256
  
  2dfe346587d3bcc2dfb437c3fca97fbb38d2ad6aebbae862e96ff8c4e78f1d28
- SHA512
  
  0b4990bd6277222a10ba62bd208fe08e5553566b2b765a5f32035c72454dd7b024aced533f28e0eb869e5699f8d53f591d174828f59c7ddab68f3eee37918fd1
- SSDEEP
  
  1536:M/u1tcHm/adpsWxW3I095NRAX5EP1TSqtH14WhrftbIRT8QTN7jZ4dgRnF7boo1K:MW1tcHm/adpsWxW3I095NRAX5EP1TSqF
Score

1^/10
behavioral13 behavioral14
- Target
  
  e316eea78900620a3194bc604bab1d058ec60832baa6df78d0795ebee9ecd6fa.exe
- Size
  
  505KB
- MD5
  
  fd2ae2610330403a81e297f3cd953e3e
- SHA1
  
  df6f3c5e53beee8ed7a57d0cdf38f0ce15915018
- SHA256
  
  e316eea78900620a3194bc604bab1d058ec60832baa6df78d0795ebee9ecd6fa
- SHA512
  
  cfe27ebb170d52213dc202e93d98939dddbdb3b61dd65a61068e13f5531dac20070f9119b6d49a8e76f92f5cdb76988fe9db2732c765d6278c1bdc1a2ac7d44a
- SSDEEP
  
  6144:Lzc9kDINdxEdjqsC7owRZaWelsSyeAoIDJT02SfQmhCqkDaiA/zqEYgFbgmaY4W7:L4FNdQjhC7tz6noEoQHYgCY4R
Score

1^/10
behavioral15 behavioral16
- Target
  
  e3250ba3e962ddf90560e00c92659cf9.exe
- Size
  
  54KB
- MD5
  
  e3250ba3e962ddf90560e00c92659cf9
- SHA1
  
  f6904cfed503a1009923141b3028875bab2aa08c
- SHA256
  
  92123431a5d7c000dfa423656179055bc8b3e4c96ed94b90cd334b2feb8818b6
- SHA512
  
  8e78bf75eec8fc294fc11e5fc6eb69230b7e6d9a8676944cf9b1fe581b6f1fc5d931fd3efedd6ffe63b396ee69de34e18c07501fb7f3b2c8df3a5993c9eafd5d
- SSDEEP
  
  768:CkoLg652Eslt/aNxND3O4JSNjxWQG35bmaePD5Pv+2XXJdxIEpm7g:CkSVGtiNjDTGdWQcGDxX3xIEpm7g
Score

10^/10

njrat discovery trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
behavioral17 behavioral18
- Target
  
  e34a914ca2b4fd7d490bd7fa0893c9b1.exe
- Size
  
  222KB
- MD5
  
  e34a914ca2b4fd7d490bd7fa0893c9b1
- SHA1
  
  e55c2dcfb6dccf9e84664af5932e9ab2eff2f2c9
- SHA256
  
  047f813c24a57883f2c6b15706b6695dd0497bc51d8b13bf74f213fdb6772d30
- SHA512
  
  0a67a20afd1f5e03799d8e88a842998dace89cbcbce34b8cbc339c9fc73d9784c8dd2899ff416955f51e6eea9c4637eeef610e6b360bac57915e46a0777b9cab
- SSDEEP
  
  3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmLY:ZR5IuMQoseGk7RZBGxAycKpSPX2D
Score

10^/10

defense_evasion discovery persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  e37b2913aafb08ae275e16364b9916c6.exe
- Size
  
  47KB
- MD5
  
  e37b2913aafb08ae275e16364b9916c6
- SHA1
  
  cc840be551dcca5c271f5263df5d3953860c33ea
- SHA256
  
  37a8613cdcd090ed1de2608fc32b10bf2f50f3cbd2915d45f5965709e037e7e0
- SHA512
  
  15792ae8103af2671b0cdbacfe98ae92eb869a9e8c1856e042a2cd602414e423d60544f1dad1f4338ba4ea7ca4b33b240c5aa8136dee6a22ea47f195cd6b25a3
- SSDEEP
  
  768:12uI1tT/w70kWUquzumo2qzT20Ek+ZT4DPIE0kZw/kTJX0bie81f4GoCCQKHv3c1:12uI1tT/kW210h+ZT4ME0h/eCbie8mGb
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d.exe
- Size
  
  1.9MB
- MD5
  
  88c85713b28206515423821dce1f0a0b
- SHA1
  
  3b8372f2cdf9875b21e189634f50661cf4d40a2c
- SHA256
  
  e37c63b72b4dd8c6a148989a74f33e54278e68275a33bcd9bab0dbac29e5af0d
- SHA512
  
  26e7cf21280bf49336462cfcf229ea6a8c72c3241c0398e85e9fb3f2fe50d174e3bb1f0215f784767034a4b1ecbe59d61e02bf4541014612bd0e30f67f5a6a07
- SSDEEP
  
  24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral23 behavioral24
- Target
  
  e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0.exe
- Size
  
  563KB
- MD5
  
  2b846d776f1a6fbe1ec811a245da8143
- SHA1
  
  ecc293b1fc5be7e85f69f423817dbbcb090d76c2
- SHA256
  
  e37cf808045aeb5b8ffe33d0e6a47444ac10956adad4d307c948a20dd8e53de0
- SHA512
  
  ea5640d2abf98c22415b443ea1debb71bc218c8f02ae1f86444d57e0ca524b04158c6e91f0ea3b80b4fddc1687d77c954e4f6f7f6bf533774a17e1f642beaa56
- SSDEEP
  
  6144:+mLrULcs2P7uZA3j41e6VlWT8b9EheZw/uzQ7Ozl449NYI0VxWRbX12Vvz:3+N8+1PVle8RZB4OY1Wr
Score

10^/10

credential_access persistence privilege_escalation spyware stealer
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  e3a2f6c598bc05769da36673f1f02c90f737d5293bf16ba0c839e92cf4258382.exe
- Size
  
  383KB
- MD5
  
  72ab95541a7892d573af0dfb987640b7
- SHA1
  
  487d6a7b3525c413b51b9bb79865d8b5ada16350
- SHA256
  
  e3a2f6c598bc05769da36673f1f02c90f737d5293bf16ba0c839e92cf4258382
- SHA512
  
  ddf4c3c09eae1715b782c69833491c72c5d3f6949e6068a5201df673c587d79e8bca1ba09470ff584eceea5a333869d78ecc05199b329e1067a9e8f8769cfdc6
- SSDEEP
  
  6144:MxOxQkEI8Nl1EBJzJWpMAE0tGZ2yzsfvDFSMMzJGYkQRj5JGbv0oHBSyz2clvFm:Mx64WBJzJWq2aGvDFHMt7jJGlv
Score

1^/10
behavioral27 behavioral28
- Target
  
  e3a86fc42dbea243f01ab5183b1e1f0c1907b4b6d46428df1d055ceb3dc9f662.exe
- Size
  
  1.7MB
- MD5
  
  45506195502850453db17be2edddf4f9
- SHA1
  
  d855f331d09e07dae83e5419c15e886c19063782
- SHA256
  
  e3a86fc42dbea243f01ab5183b1e1f0c1907b4b6d46428df1d055ceb3dc9f662
- SHA512
  
  4463c77ece9d370aa35a99157d8b80e01893839e02b68b95b4e777aded5485c9e98c9bf3e8df47b69eaabfa1ee6c3b85b3b0fd3369d6e047875c111e92817bfa
- SSDEEP
  
  24576:euzyFoBkkAqm3NHx0t71N/otyCgfdt6oP4pPTxShHhsCMafaO1n:euWanoR0vNgtyhyj2vCO1
Score

9^/10

defense_evasion discovery
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral29 behavioral30
- Target
  
  e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910.exe
- Size
  
  3.2MB
- MD5
  
  fdfe8313374cc5b208a194f2361d06b1
- SHA1
  
  f9d3ca1caf3fdafc2ced50709345811110c5a8cc
- SHA256
  
  e3e3053d342cd6eb6834eca2d1c506b65d8e459b4e336fcee977e17f3fb6a910
- SHA512
  
  01b650c9474e289f3dd3c891cee0093ec75806e33a5536e5fcc3202c1f5bf9e6a8fdd8b98b5788764a37c27111decef6fc814ce13cfbeb9ac66de577be823001
- SSDEEP
  
  98304:eAgOjoXMv34ssQQFTyEw33qGEZZ5Eq6ea:V/wNTyEw3tEZXV6e
Score

10^/10

salatstealer stealer upx credential_access discovery spyware
- Detect SalatStealer payload
- Salatstealer family
  salatstealer
- salatstealer
  SalatStealer is a stealer that takes sceenshot written in Golang.
  stealer salatstealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral31 behavioral32