asyncrat | 49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4 | Triage

Sharing

General

Target

evo.gj.exe
Size

2.8MB
Sample

250329-3fa3zsvzbt
MD5

dee0ebab182b215c4e1fb1c7da903d8a
SHA1

84c3444a053cb709a4dd9b9928b40b4373b78732
SHA256

49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4
SHA512

fa9c0d00dfb679a4d1c324390bcf2f8d562cf779e4f5487cb508f7167842c3453f545db593a218df3633aa36de98578115b9eaff7cd7b59969b1b264f78deb5c
SSDEEP

49152:z7YGtlq/IU6iZXNVxrGiPsPAmpoAzjicaCNH2kLLKevfQfGVGNPq0ATmn9/:X9+brGiPoB421fQOVGU05

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://3.27.199.84:3000/RuntimeBrokerSvc.exe

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

3.27.199.84:9182

Mutex

gRLpFG01LHh3

Attributes

delay
3
install
true
install_file
RuntimeBrokerSvc.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  evo.gj.exe
- Size
  
  2.8MB
- MD5
  
  dee0ebab182b215c4e1fb1c7da903d8a
- SHA1
  
  84c3444a053cb709a4dd9b9928b40b4373b78732
- SHA256
  
  49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4
- SHA512
  
  fa9c0d00dfb679a4d1c324390bcf2f8d562cf779e4f5487cb508f7167842c3453f545db593a218df3633aa36de98578115b9eaff7cd7b59969b1b264f78deb5c
- SSDEEP
  
  49152:z7YGtlq/IU6iZXNVxrGiPsPAmpoAzjicaCNH2kLLKevfQfGVGNPq0ATmn9/:X9+brGiPoB421fQOVGU05
Score

10^/10

asyncrat default discovery execution rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratdefaultdiscoveryexecutionrat