asyncrat

General

Target

Infected (1).zip
Size

29KB
Sample

250323-pqa9vazybv
MD5

bc0de07976b768198dde7b01cc2dd5ae
SHA1

c5b4585226e99a2d87f397532b719a4f9baa7f74
SHA256

1ec4b145a87d112642b4ecf8d6dad2dbea8e3142a445d653e2421348a2d9afc7
SHA512

c2e441027ec17d74222424490933b91bad7d1076d42e458bac6b92b1a5d410f67e8214823a7f3c868fe253aa06296c3a6d630c97d0467467179fe9f9a7de1666
SSDEEP

768:2yH06w92Pf6WgQyT+qLbc6srv+L8qFEpHNXePVUYYnw:24zHf6fAqL3srv+4qFEhNeVonw

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

27.ip.gl.ply.gg:12362

147.185.221.27:12362

according-asks.gl.at.ply.gg:12362

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Infected.exe
- Size
  
  63KB
- MD5
  
  f42f55956743758432a268841e68bbd6
- SHA1
  
  f623961c98ae744960c9fc997fa6fd772a17d6e2
- SHA256
  
  1946c5429eff2cec7b13cf088dedbfabb40f4231bb9016e028eb9e876483a3ee
- SHA512
  
  e5f6624f16d3185b89ccf25c69f0b330d596c868b5e2bc2248a84bae787cdc015982acabb7c415ec7479314513a8d05cdb3fb4b0b4bdc19146589c70fd2ebe2f
- SSDEEP
  
  768:VFVsjkUAON78iHC8A+XuqazcBRL5JTk1+T4KSBGHmDbD/ph0oXG9lOHruSuDdpqM:VwAOJ9dSJYUbdh9G45uDdpqKmY7
Score

10^/10

asyncrat default rat stealerium collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation ransomware spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Stealerium family
  stealerium
- Renames multiple (3658) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  defense_evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
behavioral1 behavioral2