asyncrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Sharing

Copy URL

Twitter E-mail

General

Target

archive_13.zip
Size

40.0MB
Sample

250322-gwsr3syzdt
MD5

db92218cb652ba5e679f6136fab8f5eb
SHA1

5bb7b9e016e72f82f3bed38d3e90aacfb0383807
SHA256

5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8
SHA512

40f28ac8b3d704958e02c9c694e03dcadaca28b2197c0b5b9a92ab5df7c46568e8e56f49b08206318f09892306ff83873e20cd0030856125d027e46787bb1cba
SSDEEP

786432:6NTyQ37YoQPaPnEd00oDL0LSnLuPZD776CSyImXaQaCZxf/ctXvwi:MeQlQanO00oDoLSyBhxIipaD

Malware Config

Extracted

Family

xworm

gas-representative.gl.at.ply.gg:28749

master-decor.gl.at.ply.gg:43820

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
system.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1351005466335121518/twCTnfzoSiI-aCcNO4qPr6FH-T4gOkPWQV2wxS9C01GGw7XemgcLtgFXaMAxuEVtAD2v

Extracted

Family

discordrat

Attributes

discord_token
MTMzODE1ODY5MDUzMjA2NTQ1MA.GtXorc.j6mFX16JgeG_cuIkV6MhYza6EyxxjwaUH0pJJ0
server_id
1338122316436996187

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

V-lg60

37.48.64.102:4950

Mutex

yawyrgpacvfvsfgbz

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2020-04-24T17:41:53.492468936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
45400
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sysupdate24.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79.exe
- Size
  
  281KB
- MD5
  
  11a206843f7380a2768c3ef10d7d287b
- SHA1
  
  39df631695e0cd57e95239e07b4ccb3f133b4cde
- SHA256
  
  326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79
- SHA512
  
  aa96cd1a0dba83fcd9e6eebb6f19239586bb65e9a66ccdd301a62df9ee0eb601849bb84ffd359d334e632a6f310093df7f6b4e3277776a6db9416fae0a188ab5
- SSDEEP
  
  6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66faD:boSeGUA5YZazpXUmZhZ6iD
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  3293f41661f096b9d6839d0389f94416.exe
- Size
  
  281KB
- MD5
  
  3293f41661f096b9d6839d0389f94416
- SHA1
  
  a6859f9404d495fae0d97943cbe1eca18533d88f
- SHA256
  
  5184fed556ebc70582af5db9792f111346abab38aa5f022769fbb2b82d64708d
- SHA512
  
  4e52d61fc3a1fd2813c86cce57e139dfe22587d97be2eb5beb2f3e2410a0f2aaa0a2a0475ab2f130062b7b7bf3d1a162c375ea7dc3eb5051ad9bd6913d637a20
- SSDEEP
  
  6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66faS:boSeGUA5YZazpXUmZhZ6iS
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  32af824687697346da2d415bfb80fa29.exe
- Size
  
  13.1MB
- MD5
  
  32af824687697346da2d415bfb80fa29
- SHA1
  
  bc83dec747cc6fc84c61df9df6d0ca5e82227040
- SHA256
  
  cc1927347aa066e1fca14fe1669362dd817ee950f9727a38e3a7b8ced8553062
- SHA512
  
  873e74cd1623ee150d3528ba42875048e379e1a577b828215c35f4375bd9817ab25c21113353c3107dc4ab3bcd076a6df5191647c19b373e1472d1b38fbca719
- SSDEEP
  
  6144:RAIvHAsjfyx0Sd/jkraPjhEe6VlWT8b9AtHqrXjXx4uzTb8M59cTT4l2P:RAWx5raEPVle8/rttzEccTQY
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
- Size
  
  484KB
- MD5
  
  a343fed4bd504af60503fbd80efa5326
- SHA1
  
  239da9a238861c2e9fcd0cfc534259116f283eeb
- SHA256
  
  332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5
- SHA512
  
  d62b44e5c9637f10a7b0c54db4f389a16888a5132673375daf5cf0ad2fe2302adb17a3630599dc512a4aa18fceb8f47b7324a7c6c66c6823446894b642181b19
- SSDEEP
  
  1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  337f25a258012c5c5802696b2f2b1a51.exe
- Size
  
  322KB
- MD5
  
  337f25a258012c5c5802696b2f2b1a51
- SHA1
  
  06269501194236c5086c4883e169b17d9202e685
- SHA256
  
  85fa680ff456723ad6dbcbc48f9e5baad961aa7d67143bf5e277268be7035a1f
- SHA512
  
  9289327fa5c573c0a4c8998ddad6a5740c887302053c30a3c1e1eb8246501305f3e63d63ad7abb9c6f20be42790c37dddcd8e88ec01590db345ad70528f50bfd
- SSDEEP
  
  6144:ejWTebuRcLMjH5WBz2YT7jRhMV1gEpkNkMdP+D202ZDa:kWTzcLMjH5GSpjGP+I
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral9
- Target
  
  33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
- Size
  
  1.6MB
- MD5
  
  43460cdfde5083d6f692f08813ef6dd1
- SHA1
  
  55756e184df04ffe1c502a40f8f859de16d19003
- SHA256
  
  33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b
- SHA512
  
  23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral11 behavioral12
- Target
  
  342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875.exe
- Size
  
  446KB
- MD5
  
  68e298b36db386382e7dfbe5bd784699
- SHA1
  
  123700bc8004ee6c9967a6818689658c23cf4996
- SHA256
  
  342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875
- SHA512
  
  879f41008ddd3464026b5c93338246fddfcc640e2790bf3d106555e22103dde1bfc33e23125e891a676daa263635518142cbf481f91b0671adfadce63222a562
- SSDEEP
  
  12288:CEgwe8+6XzGT4DaHK8mzQz9vIQozyiScxvN4HZwujQ:C1wjDaq5zOgRzyQvNKh
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral13 behavioral14
- Target
  
  344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c.exe
- Size
  
  246KB
- MD5
  
  6f6984234dc6714ab8fb6ff673423d1e
- SHA1
  
  2976c3f2a47b976913758c1800db5350498a3bc1
- SHA256
  
  344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c
- SHA512
  
  686e2919cc945ac930073f9244435e40a2fa135a911ac26822c27ea9bb13b1e72b7beb828ca5ed8c45c18c349f11669bb9d0b41f246a7837755545d49627e6d5
- SSDEEP
  
  6144:5loZM7rIkd8g+EtXHkv/iD40M1nMS1NmPzus9x45Pb8e1mqiv:LoZcL+EP80M1nMS1NmPzus9x4dcv
Score

10^/10

umbral stealer
- Detect Umbral payload
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  345db905b17d371d0355419841ad7d8a.exe
- Size
  
  8KB
- MD5
  
  345db905b17d371d0355419841ad7d8a
- SHA1
  
  3835b14ef9f753d09ef8ecb1cec95cb7e6c21b05
- SHA256
  
  f0e78989bf53872845049f3bd65c749a952a731c02c6a2ab4d7c2fc49324d84c
- SHA512
  
  b72316f6ad09368d52fb46a79d3c33308c55897248a9c2d9955cc9cb1e9173142d1541e084cd781e938e4faf989894225d9fc33c442ff11dd83e1aa3b324df6a
- SSDEEP
  
  96:XAvwadJ8k2fqmNkFMEcE2UYlnlYJnLDXL0Kffs179KIV61r5tXmmRgCS+8/Tl:QPJx8hNq0VNnlYJLDXLT+9Klb2CSt
Score

3^/10
behavioral17 behavioral18
- Target
  
  34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
- Size
  
  1.9MB
- MD5
  
  34655ac11b4f6a8d6f1ea8e2fbbe0676
- SHA1
  
  d17ed388047ec77145ef4c96e3760ea94985caa7
- SHA256
  
  75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
- SHA512
  
  2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
- SSDEEP
  
  24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7.exe
- Size
  
  910KB
- MD5
  
  78b459487d77b2af6ddfcc1e82e86832
- SHA1
  
  4bd3949d2f1704e5d50befa9998631e59a29fb4e
- SHA256
  
  34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7
- SHA512
  
  0b719d230d6e2dc90723f7cfcb54e934e8e61d28dc7e432053a881fd432c8a9dad4b3ac3949c984649b20a6ffa5db32a15d56d04da5f51638ade64a653a1a863
- SSDEEP
  
  12288:7p+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRz9Ma:7pugRNJI1D39dlfGQrFUx9Ma
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4.exe
- Size
  
  580KB
- MD5
  
  8cfc3f50d92b1919d85306fa26d53a73
- SHA1
  
  9bcdae674f2508df2e9c98fe441d4e0fa9bb85e4
- SHA256
  
  34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4
- SHA512
  
  04c62010776379fb46f90081db7cc4040ccaae373610475088fd891bc487d8e3a4c7396d73a1941538c398bd639b04d1e9cd0271ed596eaa80cd2b62162dff55
- SSDEEP
  
  12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7J:rBJwdhMJ6ZzHrfcsMGTfZ5PJ
Score

10^/10

imminent discovery persistence spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Imminent family
  imminent
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
- Size
  
  211KB
- MD5
  
  dfc95dfdc917270aedadb22238d7cae8
- SHA1
  
  91c80164d7411805c86fa014536fb7d74cab616d
- SHA256
  
  34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9
- SHA512
  
  fd97d703d4d57f5bfb38426fec2d343234258c5c8c5559662d6917a8770a7001b8011cfae812cc7aa9ccc5947d4b37db610f459ec58d7602ef55884334e79745
- SSDEEP
  
  3072:Zp8Lc70UkL/JHt6RpkBzEhE0faKQAc7lGZPHb/5FVuBJ+U53TXbYwEKXFR:ILTr5t6Rpk8E0CZSb1gpEKX
Score

10^/10

stormkitty discovery stealer collection persistence privilege_escalation spyware
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral25 behavioral26
- Target
  
  350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b.exe
- Size
  
  2.0MB
- MD5
  
  e2a8f9c3e2d7e7a4676e00faf4936624
- SHA1
  
  80b1b2aba8e059c04cb24a98a80c707f588f0672
- SHA256
  
  350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b
- SHA512
  
  346bf29a29ac694aba4453bca42bab9cbec51d893508f7767e14072233ca2e34a9ce5e4c78c2189958e392a609576531b3cca2695ff7e2ef497c8c74604f5434
- SSDEEP
  
  49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral27 behavioral28
- Target
  
  353233e5a415519357daf1258d66e8ec.exe
- Size
  
  1.2MB
- MD5
  
  353233e5a415519357daf1258d66e8ec
- SHA1
  
  0e19761907c0be60353733092cc0a31a07bfc52d
- SHA256
  
  3af5cc1b136250c241fb66a28ed1e21225ae414d51ce854a6ca2041793ff5f18
- SHA512
  
  d02d80a982ef42500b7883bb51a4a98f85feb90b990a61702e1281a9e76b9806deb71a7745e82cd77841965eabfb4cc573583646993e0bc65e031c258fc6c55f
- SSDEEP
  
  24576:7lUzGRo8D89NAF7ttEL48EobWkCfjCZmRxA1+rc9TwFSKAbe/x0yb:8GLD89uFDQbWkO42xA1kc6bAbe/a
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  35459ca7521a8565cf4acaadd346537b.exe
- Size
  
  984KB
- MD5
  
  35459ca7521a8565cf4acaadd346537b
- SHA1
  
  c22ce5beb121ecbba910dec28dedc0781d379524
- SHA256
  
  9622708341e5ac35563f5f258ae7736ad0a9f3c5875cfbf6e4570778b2e2c8bb
- SHA512
  
  691dc64caeb7a892b54c970f5d750a47a525004b162994c7e71eefbd4821c5c65961b2bbf08c356799e005de7c258fede7058cc3cc7f939f5ce1cd4ba40becd1
- SSDEEP
  
  12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral31 behavioral32