asyncrat | 890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e | Triage

Sharing

General

Target

ORDER_253890-5645FD.PDF.js
Size

535KB
Sample

250330-xvgw7axlx5
MD5

930368ea6f7cd3ed52e3c11ce5a8b84b
SHA1

14205534d961366b4b5650a0bd751366d40e812d
SHA256

890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e
SHA512

5bc116514e447a9edb47c85aa70a2f900241e3920bd8bacf374c78ee6caaa46c4525b7077ca44a69790b21189d48ae74efdd7993db1d728d09c419706c7db629
SSDEEP

3072:vMRy93zMk/wFRTiNy49mDvVHq07vg6fwTuP1c3TS:o82T8UJ7vg6fS0Se

Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Targets

- Target
  
  ORDER_253890-5645FD.PDF.js
- Size
  
  535KB
- MD5
  
  930368ea6f7cd3ed52e3c11ce5a8b84b
- SHA1
  
  14205534d961366b4b5650a0bd751366d40e812d
- SHA256
  
  890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e
- SHA512
  
  5bc116514e447a9edb47c85aa70a2f900241e3920bd8bacf374c78ee6caaa46c4525b7077ca44a69790b21189d48ae74efdd7993db1d728d09c419706c7db629
- SSDEEP
  
  3072:vMRy93zMk/wFRTiNy49mDvVHq07vg6fwTuP1c3TS:o82T8UJ7vg6fS0Se
Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Wshrat family
  wshrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan

behavioral2

asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan