asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41
Size

53.0MB
Sample

250322-ylqcmstky9
MD5

c692fa0dfc4fcfaa5dce4ea98d212465
SHA1

eb86bac588f58eeeb4475f0e5703f7dafdd9c1f4
SHA256

7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41
SHA512

2d93dc2a53994027f20ffbb23cb6cf0144968d0457bc194f347814bda93077b4f4258dd4fa2ba140b3ea8b225724dbafcd1d24027baf42d1a3f81d3c4033981e
SSDEEP

786432:4p8UWG0mnu0Pkk6tCWsjaOAUa//yxNJGXO+1fey4wyrvfOyQ37Mhd6uPsiOyQ37W:4j1u0Pkk6tCbjoUyaYNeQohlPfQcd

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:333

Mutex

RV_MUTEX

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

192.168.100.15:1120

127.0.0.1:1120

201.14.241.58:1120

Mutex

zlayyfeneka

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

127.0.0.1:62271

renzik-62271.portmap.host:62271

127.0.0.1:47701

xyxviebet-47701.portmap.hos:47701

Attributes

Install_directory
%Temp%
install_file
svchost.exe

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

game(1)

saint8951.ddns.net:6522

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:5552

Mutex

279f6960ed84a752570aca7fb2dc1552

Attributes

reg_key
279f6960ed84a752570aca7fb2dc1552
splitter
|'|'|

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

basmtrke00.ddns.net:1177

Mutex

c5cc28849e1bf231257e550415541cf5

Attributes

reg_key
c5cc28849e1bf231257e550415541cf5
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:14888

health-eddie.gl.at.ply.gg:14888

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.4.9G

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  c39e5e577360a09a924844399e1953fb.exe
- Size
  
  17.7MB
- MD5
  
  c39e5e577360a09a924844399e1953fb
- SHA1
  
  cfcede39f7afad0df9473c8cd9d328db72dbd90b
- SHA256
  
  e8955e77203db68470ff9461e2faf9deed3df0c3fab1b0fd5d4c8a6595f5c72c
- SHA512
  
  78b865dbbefafce9a9948a14e2013c3650d028d87e3ed4b2a5d4281687c826b3cd8044274c0e54853f6b48533ac07af3065c6ad34b629c22587f26ad5aee35c7
- SSDEEP
  
  393216:8YGbY6iHonlQCe88BYdY3SHFPJXFODKSblmY+:87Y2CCe4dAmFOmSJm9
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  c3a61d282c9a5249427d1c50d79414b05441de100982cf90354b0466ec013e2f.exe
- Size
  
  7.9MB
- MD5
  
  f9ccfba03895eb7877510ace1bf59a71
- SHA1
  
  87a165c002005a72324064922faf48c55ed809b6
- SHA256
  
  c3a61d282c9a5249427d1c50d79414b05441de100982cf90354b0466ec013e2f
- SHA512
  
  b61f17eb86b5d79e228100228f785703cc1582867b5be13b0ceda0bbe4329e2ccb31981365d0edd428e34c9db5f40bc5bc9faa54c52043f5c0983ae288ae8e47
- SSDEEP
  
  196608:c9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBy:cmqbhrEbn87eZsFmq+m
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  c3aaa8d0678c59cfe55a289d29c5b3d1.exe
- Size
  
  5.9MB
- MD5
  
  c3aaa8d0678c59cfe55a289d29c5b3d1
- SHA1
  
  2c592322b164e7fa9282bfdb7a650dbe4d41492c
- SHA256
  
  c18fdffa9d1b4bc8ae2f14f8685b9dcad5d250760d0fe059c522115dac9a3d24
- SHA512
  
  e36f85f15ee3e026fcac40603e8985277f1196d2435cb95c24ffa9afc1dbd09c69474be0d601c7b6a6c67bec203369cfb1e67aa6db1ae1a0056910b12bd70408
- SSDEEP
  
  98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:ByeU11Rvqmu8TWKnF6N/1w3
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  c40612db16415a3ee8c44a6f5157ef0e20ae02daa0d2c9c0cb99eac72887466d.exe
- Size
  
  2.0MB
- MD5
  
  30418a412a039e750e959867f732afd3
- SHA1
  
  01ea877908ecfcf2d6bede5ff1137f878f862ecd
- SHA256
  
  c40612db16415a3ee8c44a6f5157ef0e20ae02daa0d2c9c0cb99eac72887466d
- SHA512
  
  9f861fb3b163009f65c4d576ac89b31c502b46bda9acb0110756a4bbf46a55e61f4b2e1481c603827e3f4fa12f19de7979fd7a76e1fd0feb3bb956c7706f5c59
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral7 behavioral8
- Target
  
  c45000d07293154a655ba52ffb7bab99.exe
- Size
  
  849KB
- MD5
  
  c45000d07293154a655ba52ffb7bab99
- SHA1
  
  4b4fbc2c00cf6c6c6fcea58074213c4f0606b80a
- SHA256
  
  f639fc426671cba387b08b8c14743bccfd9d13866982573a1ed2e150967c17ac
- SHA512
  
  2805351e0080a62061efb9bc7e3d953221df1180edfcf1142b59302a0afbcf3332a8855deaa9f147ebb11789a3cdbadf6073306000d03698537813bf579df674
- SSDEEP
  
  12288:I6NE5ig5Fttrh5PxjUm5SvDdLILaBFkjKuAMx6A5gtbGk84Ca04jtiPBgGKYTx:I6N297PxbsKtC5AHgk
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral10 behavioral9
- Target
  
  c4639b8ab98b523a89ed2bda24ad0398b38514d4a5737e6450912caaca523297.exe
- Size
  
  115KB
- MD5
  
  4bfc91ad73afd3925f3116fd870c6e65
- SHA1
  
  6715e01e71153f24cece377d6be80ed513e0acc2
- SHA256
  
  c4639b8ab98b523a89ed2bda24ad0398b38514d4a5737e6450912caaca523297
- SHA512
  
  daf2d857a96a5f71f670a0c352b365268df4a4a723a07f9d38c466265239eb30589afd8eed7971d1e8781a129c8c962c316014d4c07e1857352d2a217ad2e240
- SSDEEP
  
  1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDI3:P5eznsjsguGDFqGZ2rDI3
Score

10^/10

njrat neuf defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  c47cd916369fb96f0624e8c8a549946d.exe
- Size
  
  16KB
- MD5
  
  c47cd916369fb96f0624e8c8a549946d
- SHA1
  
  f7a18e9e87292c32dd956a23c223c1b19fd4aeb7
- SHA256
  
  9ae1914f28457c593679089eb29415f8a80ab46730a1e4e5f9dfdbe7d22860b9
- SHA512
  
  51df1ea3d544561789629901626ac1a2843181572f941dc827f29409bc113e483e42784e1acce45329f63423367f392cfb33d348953008119673a8482f541a2a
- SSDEEP
  
  384:6/5gk7lVzF3stf9oDPlMNcLlb5sVKhye5Ct:6/5gk7lVZUclMNEdo
Score

1^/10
behavioral13 behavioral14
- Target
  
  c486ed6acb598d864bd441b40bbb31df.exe
- Size
  
  6.8MB
- MD5
  
  c486ed6acb598d864bd441b40bbb31df
- SHA1
  
  4842165e42d247982c8dadbbe316ec8f1dcb1174
- SHA256
  
  6d0f06ad75a8a2959de87e4c142faa335f593d5af278f0617c1acc886c4a946a
- SHA512
  
  9fb7e9a285c6ca9b769dc9ed5eedd60e710064c59c32e6d7cd89b37e05ef4d782440bf4fd32729c6a4f090ff1c61e7017bd4578c1d32c4545e0b9e42054c0029
- SSDEEP
  
  12288:nsssDsssssssssssssssssssssssssssssssssssssbssssssssssssssssssssj:3
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  c4b4c8152f8279bd2440201d33beb75aa3078ebc76c0622bb4778375afb08adc.exe
- Size
  
  4.8MB
- MD5
  
  985cf8c243e489e9cf622a77eea80478
- SHA1
  
  764087f8032abcb375155328fb2eaf3aef1140a9
- SHA256
  
  c4b4c8152f8279bd2440201d33beb75aa3078ebc76c0622bb4778375afb08adc
- SHA512
  
  61db554590996297fde5cd74e1713a3f29bc8469c5b28cf94a2f64a81ed806004b8614a1bc048665446b264bd6090454806cd080769422d01138d2e44a87e9fd
- SSDEEP
  
  3072:fv2BuEK/hTTK3EW2pL81kunExjRn21W62b0T3t:fXU0W2pL8CunExjNET3
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral17 behavioral18
- Target
  
  c4c197e50214b25100e10fb00b2ac6e0.exe
- Size
  
  273KB
- MD5
  
  c4c197e50214b25100e10fb00b2ac6e0
- SHA1
  
  1dfac5794ccab5ec1e3c4897b8069c85e44bde19
- SHA256
  
  91b9c5ee1050b5ba75f7ad5e1daace80e64220fc71cb4cda0a2265b0559afa5f
- SHA512
  
  11d6fca3edc71affd5ae97743ae2e3a4ed8172f73e1f1a4d799baeb335a1f2a0219f652b2bc5d4d6a45144b936e047842579a50926813eacd9b9be1bfb8a2878
- SSDEEP
  
  3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdTk:WFzDqa86hV6uRRqX1evPlwAEdA
Score

10^/10

asyncrat discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  c4ca622404b5b4763e20a205a41db518.exe
- Size
  
  2.0MB
- MD5
  
  c4ca622404b5b4763e20a205a41db518
- SHA1
  
  a782fc1dc16fa55f8b7158f728f5c01fb0f955a2
- SHA256
  
  7e881d747f8a5b1e8ae2806b9495115ab1478a5df7fc40c42e862e4be1277753
- SHA512
  
  64c3eccdac84c83a692191512ef6e2abacfcb107a8343f03d51334e4cf4ce3aa43c9aff6d130bb69cdf4e90b635e8ab9d7bf1898e130614af45cdcbeaef2a3fc
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral21 behavioral22
- Target
  
  c50b533887d2992f66c414bd95339750.exe
- Size
  
  74KB
- MD5
  
  c50b533887d2992f66c414bd95339750
- SHA1
  
  740522dd71843b4025f50e523fd00c57215dc312
- SHA256
  
  381d149112fecee669c654b31fb14b708897ff7bfc2d3077b8e55a441f97cfd4
- SHA512
  
  de3c379afe3ffb08669db1bc432380cef2d1d894145d454bb2c98cc2661e965a6618a45a33a37c3e59ba55fc7141f98f41494ff393daf389ea6c414a83351bfe
- SSDEEP
  
  1536:LUN0cxVGlCBiPMVye9VdQuDI6H1bf/VjVQzc+LVclN:LU2cxVMWiPMVye9VdQsH1bftZQXBY
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
behavioral23 behavioral24
- Target
  
  c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
- Size
  
  1.6MB
- MD5
  
  5355cb64d0008d7ed7267cebea8f9bc4
- SHA1
  
  4f8fc970efa45c2f547e8583b49eb543b778f001
- SHA256
  
  c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f
- SHA512
  
  cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6
- SSDEEP
  
  24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
behavioral25 behavioral26
- Target
  
  c520bfebf2b7ca231d0b6bb731bc67c608dad8f84583daab3f8d0783fa3ae7a2.exe
- Size
  
  6.6MB
- MD5
  
  d4beada3399cd28b1fc5724463215d7b
- SHA1
  
  5a909bcfef757eda9fc1370a3aa6e768bc191be6
- SHA256
  
  c520bfebf2b7ca231d0b6bb731bc67c608dad8f84583daab3f8d0783fa3ae7a2
- SHA512
  
  998cbaf0cdee86ee75ece589df34367f466b5998d6ed833c6e41654876b962c8a07180ee94e724152b4870fe765e7dc96e0eef11a1081305b69b92d19860b9d8
- SSDEEP
  
  196608:1Nsg4AMgAiNsg4AMgAqNsg4AMgASNsg4AMgAuNsg4AMgAB:1Gg4aBGg4aNGg4apGg4a5Gg4a+
Score

10^/10

discovery execution xred backdoor collection persistence spyware stealer
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  c53059381a17db7f48cf6871b7869c48.exe
- Size
  
  71KB
- MD5
  
  c53059381a17db7f48cf6871b7869c48
- SHA1
  
  56afbdfcedd33f8002d4624a83ce4a07dea43454
- SHA256
  
  d462a5239f8b7933b6202c0cd440b2593ac44be6ac5e9d12b1f3f6ba675e0e2b
- SHA512
  
  85a4d82bc75cc2365668de13df983bdf4ae8d39c37161da2ef1d747eeaf1cb0b5585ea1f973b4671a725e54bd47f3d288cd6dfff2dc30ed886f968a1a18302f2
- SSDEEP
  
  1536:V0qYHDDZY5rgvZzOnAaDBnza+bhVB4gc8ivg6bPQROE2HkKQOT/B:qqkDDu5rs9Ozc+bf7j2IROaXaB
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral29 behavioral30
- Target
  
  c59549cfc2b2687a8a799ef4b5c772e60d089fff5ccd837b46f07b019eb359b8.exe
- Size
  
  450KB
- MD5
  
  7f11e0f9b72d8db28b4c5db764044dc1
- SHA1
  
  8ea02f252178d7459a12846e396bdb8e2f982e98
- SHA256
  
  c59549cfc2b2687a8a799ef4b5c772e60d089fff5ccd837b46f07b019eb359b8
- SHA512
  
  ef0ea82060b80e843d9ccfd7f9718079539af3fb3817db149f7f9344d006be4e9ab67d7963ff08de6be994d54ce8c07abd76aedf000eb50945d93d11dad3bdbd
- SSDEEP
  
  6144:ul79nXgE03jDhZazH0Nmxwyg2e6VlWT8b9zYQt68Vw4wkGRR1V4rbA6DhKZm:i7fUaw+PVle8tJBwjxJZ
Score

1^/10
behavioral31 behavioral32