asyncrat | 00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22 | Triage

Sharing

General

Target

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
Size

13.0MB
Sample

250326-xxw4wstjw5
MD5

66f293c1394e81b02da06a86f5bcb249
SHA1

ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c
SHA256

00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
SHA512

b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e
SSDEEP

393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE

Score

10^/10

asyncrat metasploit default backdoor defense_evasion discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3001

108.252.227.16:3001

Attributes

delay
1
install
true
install_file
dsg$4yt.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

metasploit_stager

C2

0.0.0.0:3000

Targets

- Target
  
  00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
- Size
  
  13.0MB
- MD5
  
  66f293c1394e81b02da06a86f5bcb249
- SHA1
  
  ac0b8acc5eb9395d6a8a40be01a3e75a7208e23c
- SHA256
  
  00421ec0e50c06c0d20a438de1d7f355b02ac6bec317bb4493fee4e291833f22
- SHA512
  
  b3bd8252473e9960cdf32d3d89e6f1df3ced96621ae12d085e58705dd12803d5a3e90e1a6899545921f7f32f2bf9072fd26d147a0dd2fb4d3edc21f0a756ca1e
- SSDEEP
  
  393216:mtoHOLHsaSZ2pczKc1esHdZYjzGLO51D6GCoJ:NOL7mH9ZEN5h6RE
Score

10^/10

asyncrat metasploit default backdoor defense_evasion discovery evasion execution rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratmetasploitdefaultbackdoordefense_evasiondiscoveryevasionexecutionrattrojan

behavioral2

asyncratmetasploitdefaultbackdoordefense_evasiondiscoveryevasionexecutionrattrojan