asyncrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Sharing

Copy URL

Twitter E-mail

General

Target

archive_15.zip
Size

34.6MB
Sample

250322-g6sj3azsbw
MD5

7f3944a349f295202d784cd388eef05a
SHA1

427e7d29593be751c6c10f81f3e58b816fe79677
SHA256

7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6
SHA512

d80befe7df86a473a098b9b00ef3d26b6a7d7407c194cf9d471a8da1e7a20ecbb86b759266e17f6c1a8f353f9b2d652f5e6032ef5ee5c9d9289f0c0ee1cbd599
SSDEEP

786432:2Paqcyrhk54qpiDw6up//yxNeiHZUKLZ9FlRVsE:24cEwE9aFHZUKxlLsE

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

score-fears.gl.at.ply.gg:6905

Mutex

47ed2009f1c922f581a240792169875b

Attributes

reg_key
47ed2009f1c922f581a240792169875b
splitter
|'|'|

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

if-contest.gl.at.ply.gg:5461

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

xworm

127.0.0.1:4758

108.77.173.66:4758

127.0.0.1:5470

red-ps.gl.at.ply.gg:5470

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

xE8mXg8CRXTe

Attributes

delay
3
install
true
install_file
Bigger.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

46.197.220.52:1604

Mutex

7bcbf5e23295248042b5dac9a154ecb7

Attributes

reg_key
7bcbf5e23295248042b5dac9a154ecb7
splitter
Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

FEB 27 LOGS

Mutex

dwjsrlleihmlidl

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/i3NzmwEg

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:5552

Mutex

b13e292b915775ba092e61499e08a32d

Attributes

reg_key
b13e292b915775ba092e61499e08a32d
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

Mutex

8f04f9cf1cb0a66772ec936fb174701b

Attributes

reg_key
8f04f9cf1cb0a66772ec936fb174701b
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

[email protected]:46218

178.32.224.116:46218

Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes

activate_away_mode
false
backup_connection_host
178.32.224.116
backup_dns_server
buffer_size
65535
build_time
2018-07-28T12:59:38.488799236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
46218
default_group
tourex
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4af74541-e3f1-469c-8af7-efe4071b81cf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
[email protected]
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.4.9G

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Targets

- Target
  
  3c7b097b31ed5df2ce6313dddd86da0f.exe
- Size
  
  37KB
- MD5
  
  3c7b097b31ed5df2ce6313dddd86da0f
- SHA1
  
  56831f20af7c89fb3c5e3cefa70e5e6b2a98131e
- SHA256
  
  de21a0b40b5f1cff271d2fe33518fac7c34382670bb0dc412363fc15f88e5ea7
- SHA512
  
  83a1fa6e3929ec00eab0a347dff6671f57229423067301f317d6edfde58b66624b6dc673d51fbfb8b84168dd4a11e5e1ebc99cd08f0155214404078fce6ab0f4
- SSDEEP
  
  384:mLuf7WpgibTjpPu7w9qyMTczHPes2A7rbrAF+rMRTyN/0L+EcoinblneHQM3epzk:PqNN9ZMTczWtAbrM+rMRa8NujGt
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Modifies Windows Firewall
  defense_evasion
behavioral1 behavioral2
- Target
  
  3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086.exe
- Size
  
  2.0MB
- MD5
  
  a25affdb70bad26a0357487086c6f275
- SHA1
  
  a8381e4cbb1b3291c4331f788d000bf95b95edf8
- SHA256
  
  3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086
- SHA512
  
  2da6932d438fd9fcca1346ea33720aaeb75007e49b4956834563dd18390291eb2c5f541e37f61ae05bdfc90646c476ea7c18ec7b8b5380d29ca3b634c617bc43
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral3 behavioral4
- Target
  
  3ca3e4676bac76c4f7eaf0ab169b8af1.exe
- Size
  
  78KB
- MD5
  
  3ca3e4676bac76c4f7eaf0ab169b8af1
- SHA1
  
  3873da68bc51d374243468d08e73058674ea0a02
- SHA256
  
  572c49454d971b5cebc708b888e42970a4f954d97cdd8cd237a5ce4b281c60a7
- SHA512
  
  2f34a5d1affdada1686408f5f6ac748fd688215a2a12acf897f06af177ad103dbae344102b271b572a5e51ec11b68d97b7d2fa184244ce67d5ea8430f85f1e4e
- SSDEEP
  
  1536:bCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN9/t1+S:bCHFq3Ln7N041QqhgN9/Z
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  3cb47c4bbe6856c45fd89eb5eb2723c1.exe
- Size
  
  114KB
- MD5
  
  3cb47c4bbe6856c45fd89eb5eb2723c1
- SHA1
  
  61ec438d8c8e4c382353587bb7eaf2aff7581f1f
- SHA256
  
  b023de4ecd98db961a3aa5c6aa9f6d79560c5dd72aaa2ea61e907dfac2503bb2
- SHA512
  
  53b273a1d5355b40664b5d9a5af40bec0315352d511a45d57d8a10693c5f7e7be8972d614eb4e9504bbf4fa455f51c149d891f0a5c29c1a82955d0b678f4a479
- SSDEEP
  
  1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDI1:P5eznsjsguGDFqGZ2rDI1
Score

10^/10

njrat neuf defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  3d18edb3bf6b0493a6572edd73f937ff.exe
- Size
  
  16.4MB
- MD5
  
  3d18edb3bf6b0493a6572edd73f937ff
- SHA1
  
  5845f04892c5c4314dab1b885c4ee77e5f799052
- SHA256
  
  eec5563cab061ef1b00530425de7891a09ec8416aae780c6c651c7caf98d7879
- SHA512
  
  81eb59c2170c17959c6814847b420ff7682145d552692c6af1d88fc1b251d4bfd5ae45a9f7f017184812c69606bd132309f879f8031da5a1b23a309d52185a4b
- SSDEEP
  
  196608:S46M6QqOyjr2LF3Ye6YmnwqdU142U8ZG7xKmHH:51cjSLFoBYmn5U1PtZG7xK6
Score

1^/10
behavioral10 behavioral9
- Target
  
  3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
- Size
  
  218.5MB
- MD5
  
  d86b4e05d449d68ae457d3bf780eb2ab
- SHA1
  
  eb7e026cb99fa53ed05e7814497910b67140cda0
- SHA256
  
  3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4
- SHA512
  
  b3d9f94429cfeabd616a4624589a1da05d5e3b33244b92d49bdc0345a50cbea524b37d2305c93e4c381cf8f03214b3844f4cc2a56d7f7ea68fb3a1f21fcb1318
- SSDEEP
  
  6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral11 behavioral12
- Target
  
  3d2f05086d9da9564c7c7e945875e80c.exe
- Size
  
  43KB
- MD5
  
  3d2f05086d9da9564c7c7e945875e80c
- SHA1
  
  2a691bccd730f0d1b20743f97ccde01ce625dee1
- SHA256
  
  f7faff3064d94d1977899b814099e4276349b80c7896c26142080d540e54a7dc
- SHA512
  
  05a876ed8e07d1750a4be4bd20904745fb96203e6bb05c9f861e91bb84ccc97cff0a463dd26e8bb8b5ba2128a98e82ee89433bcfed646b07f79d885c843e4ebf
- SSDEEP
  
  384:vZyrUJ1Cj8syWcWrf7E5GiXeEXME5EAftz8Iij+ZsNO3PlpJKkkjh/TzF7pWnU/N:ReUJ04pWcWr7E5ZVMEzXuXQ/o13+L
Score

10^/10

njrat hacked discovery persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Drops startup file
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  3d81f411b0ec1ac7d861358e145db4ba.exe
- Size
  
  999KB
- MD5
  
  3d81f411b0ec1ac7d861358e145db4ba
- SHA1
  
  4b945e693bc455840912fc5b5f155c36501d235e
- SHA256
  
  72b49e4d9aa54af40111e35d0d4bcb4a7a313c4f2f5c5f33c3b7a093b7f4fc0e
- SHA512
  
  216c654e895ec5065b7d724f5421184e2a3445f4b801f0ebcc3ce34676e2d89240f22af079fd7a7d074af3567ee483ebe2f6b40bfea224956ff00f5d326894fe
- SSDEEP
  
  12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
- Size
  
  587KB
- MD5
  
  58388ff123bd5e52aa3e7fa34cfa8a7f
- SHA1
  
  6b43aa7430ad9e446acf2f8d04ecb8f6b6eaa4c5
- SHA256
  
  3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c
- SHA512
  
  a4b5405d5e0c4f555e151c207c2d6d38e52b3dc3c59f3629729cec2578dc0426621b8f321ce770e69270e974e1d96f6eacc6d38d2f9b89c6aed4ed4ce397a991
- SSDEEP
  
  12288:tZFFZDJe6R3dvAheWxnMbbY1wLBuYEAmDUDAc5c:tZnR3ROWblBuYVD
Score

10^/10

njrat lammer discovery trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  3d97ea72c561c7d15574a99be582c59e.exe
- Size
  
  67KB
- MD5
  
  3d97ea72c561c7d15574a99be582c59e
- SHA1
  
  25eab8088c710e7f44b9d569eb96a27762cd53ca
- SHA256
  
  06de1b5a3ba2dae2ed909d8e647cc5c1a141b7520d26cda3f54947e7f8aaad45
- SHA512
  
  b0f1f99ac3927518e80ac6a5643949ac0945ab25faf7d4c8ea29dd9b3051f16fe3e3dea26a0006561b9836a50850cd2b41ad7c0341f6dcc823b73e9df02b1e69
- SSDEEP
  
  1536:I+mxV1I5K7uB6MnjU9bkVPWMXil+bV1Ts4um0h62lNn86OW6ds:I+DK7ukHYVPWM4+bVhp0lnjOWos
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  3dd452b9394976fd7b431d3dbae57d18.exe
- Size
  
  4KB
- MD5
  
  3dd452b9394976fd7b431d3dbae57d18
- SHA1
  
  98940f9f7f1ebe646176130530941a92cbd14b94
- SHA256
  
  24ea75eec3b7573f491e69fe6f3e999dd7a58c16462ceb94b212d3235ed34bff
- SHA512
  
  f48f8d49263f32c6026b026688b3c969c1b202082f3c4ba93e6d701d0f12f94d173b77afaa3a5b996dc0fc1988c11734e30206560391b90fb28912f7d2301524
- SSDEEP
  
  48:6gmrtWxZ8RxeOAgFJCcV4MKe2YYo2dEwPvqBHnuulp+hvqXSfbNtm:UpxvpVx9Q3vkZLkhzNt
Score

3^/10
behavioral21 behavioral22
- Target
  
  3dfc71cfc45034d671ac0f319bc080bd.exe
- Size
  
  885KB
- MD5
  
  3dfc71cfc45034d671ac0f319bc080bd
- SHA1
  
  7d8a8faccf06d8ec762bdf56e8842dd069ec3801
- SHA256
  
  13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1
- SHA512
  
  8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e
- SSDEEP
  
  12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral23 behavioral24
- Target
  
  3e435c9ff25f6dca4a3e7262825aa557.exe
- Size
  
  984KB
- MD5
  
  3e435c9ff25f6dca4a3e7262825aa557
- SHA1
  
  57cb6e337e1c91c2937544fdfa78d3704d2ff408
- SHA256
  
  db97ef403b3433d2cae1fc98d893d14e67b83a14e7d8e4e428152fde8d83d934
- SHA512
  
  00c0863dc6728e01cddb5c605d1210c0d1c2b7bf7b4e2426f61bb2b6eb4addb102c7ef5d46db693557b3e8dcf4d68a33ddcfe499713666afd05d986b5be9ebe8
- SSDEEP
  
  12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral25 behavioral26
- Target
  
  3e624f48a849ad8a70e09f6d4e75f02b.exe
- Size
  
  78KB
- MD5
  
  3e624f48a849ad8a70e09f6d4e75f02b
- SHA1
  
  bafda32b69d0f3f342d1d404b82825f4593215de
- SHA256
  
  fb792ce78c7eee26dfb39a9394a2993a3799b896f66ee903f4ebfd75580828a9
- SHA512
  
  f95f9f0879127ae691e41eb1bea3a84bbeb8453cec57a21394fc37a96f74149a14a588cdec7a8775d70628a8e7828dc94f84f68fa3ebb88909c0b86245c9ad8c
- SSDEEP
  
  1536:6Njum7Ynydw8KwHpF73i6EBXlLOUpGO7VHKgFtJjTD0K3gI4:6Njum0ydDKqX0LOUpjZbttTDiI
Score

4^/10

discovery
behavioral27 behavioral28
- Target
  
  3e8acfab95493518077e0028fd0f2dcc.exe
- Size
  
  418KB
- MD5
  
  3e8acfab95493518077e0028fd0f2dcc
- SHA1
  
  916709a0aab1d58c686999f2bdc894e63dc7699a
- SHA256
  
  0a5a53bdc5eee30ec63ba27249253d0ad2224bfc7bf3fc790642427a545d2b1f
- SHA512
  
  fde4cfa600e96f292996b779814e32ea4b98b45b7ac117f1aa2a98b4d09bdcbcb3cce6602bd8037cd184c12fbc937e73c7d3aeb088bae982e301ebe3bfa8be80
- SSDEEP
  
  6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwbvl:ITNYrnE3bm/CiejewY5vXN
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  3e9a136b97b7ad7104019ae696b4f59d.exe
- Size
  
  273KB
- MD5
  
  3e9a136b97b7ad7104019ae696b4f59d
- SHA1
  
  99fff6e4e8320f9908ee359a3ed05549ef4d03a9
- SHA256
  
  ab3e7a2f39d9f97249371e3e0710bc1878410d19d8709fe5d9db437df1904a11
- SHA512
  
  8fab1f6ae6d36ddd4e92443064ac2473e5cc6a5db9cbf28d6446ecbc1836860bbc0afe78f7b49db3bd8dedb5b4043da49c996156107d2c2433ec999c37527ea4
- SSDEEP
  
  3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdT6:WFzDqa86hV6uRRqX1evPlwAEdO
Score

10^/10

asyncrat discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral31 behavioral32