asyncrat | ad091aff1603773230aa3ec020c30c96bf53e36baaf128c5056bc06d8254ca72 | Triage

Sharing

General

Target

ad091aff1603773230aa3ec020c30c96bf53e36baaf128c5056bc06d8254ca72
Size

30.1MB
Sample

250328-e7bxla11ev
MD5

5fb9e419d4ae63f3483630e314aedf4b
SHA1

fd0e4f4c9faacf239154bffc4ab9df2a36d5a38a
SHA256

ad091aff1603773230aa3ec020c30c96bf53e36baaf128c5056bc06d8254ca72
SHA512

50dd2aaf40a63c2604b74a303402344d5d34e8191790099a23dd842baa98fca108c414352e167485b2ee333a184eb17667d0ae9036920c8b1f49104c6f627f4b
SSDEEP

786432:CGHzzuqE2+z5m4K+I6yybsorCII/v9ZH4+gX/AxWMX84j5NF:CGHzm2+zvKb6yybHrCJDzSAxZF

Score

10^/10

asyncrat eulenv4 defense_evasion discovery evasion rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

EulenV4

Mutex

chxtzuezuve

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/KnhCGRrn

aes.plain

Targets

- Target
  
  ad091aff1603773230aa3ec020c30c96bf53e36baaf128c5056bc06d8254ca72
- Size
  
  30.1MB
- MD5
  
  5fb9e419d4ae63f3483630e314aedf4b
- SHA1
  
  fd0e4f4c9faacf239154bffc4ab9df2a36d5a38a
- SHA256
  
  ad091aff1603773230aa3ec020c30c96bf53e36baaf128c5056bc06d8254ca72
- SHA512
  
  50dd2aaf40a63c2604b74a303402344d5d34e8191790099a23dd842baa98fca108c414352e167485b2ee333a184eb17667d0ae9036920c8b1f49104c6f627f4b
- SSDEEP
  
  786432:CGHzzuqE2+z5m4K+I6yybsorCII/v9ZH4+gX/AxWMX84j5NF:CGHzm2+zvKb6yybHrCJDzSAxZF
Score

10^/10

asyncrat eulenv4 defense_evasion discovery rat evasion trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Async RAT payload
  rat
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncrateulenv4defense_evasiondiscoveryrat

behavioral2

asyncrateulenv4defense_evasiondiscoveryevasionrattrojan