asyncrat | dbf6a6e0987772661cbebb257cec32039d6a1782d1ddb6186f0988b552dedb91 | Triage

Sharing

General

Target

dbf6a6e0987772661cbebb257cec32039d6a1782d1ddb6186f0988b552dedb91
Size

2.0MB
Sample

250415-x856yaznt4
MD5

4aa312537e1070c0973034182e93661a
SHA1

554a11bb09a19b930254510684eb9338b8483acd
SHA256

dbf6a6e0987772661cbebb257cec32039d6a1782d1ddb6186f0988b552dedb91
SHA512

74a3c9330ab3fe69d4c3b5d9b0831cf9f6420b15eb38e2aff1cd50a1b5c05d272ad413b10207d1025e7144a06b2e912f557cd9af48f0e3d1eea5cd89fcbfa90e
SSDEEP

49152:DBPp7fcvG5folhCdDqXVAHF8OItSjbpwTpdOToS7eBfJXAu:DBB7fb5DlqX2HF8OIgXp268S7eBfKu

Score

10^/10

asyncrat neshta patch discovery persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Patch

C2

45.74.34.32:1994

Mutex

FGTRDSGDFBGGSDFG_S5S54SDF

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  dbf6a6e0987772661cbebb257cec32039d6a1782d1ddb6186f0988b552dedb91
- Size
  
  2.0MB
- MD5
  
  4aa312537e1070c0973034182e93661a
- SHA1
  
  554a11bb09a19b930254510684eb9338b8483acd
- SHA256
  
  dbf6a6e0987772661cbebb257cec32039d6a1782d1ddb6186f0988b552dedb91
- SHA512
  
  74a3c9330ab3fe69d4c3b5d9b0831cf9f6420b15eb38e2aff1cd50a1b5c05d272ad413b10207d1025e7144a06b2e912f557cd9af48f0e3d1eea5cd89fcbfa90e
- SSDEEP
  
  49152:DBPp7fcvG5folhCdDqXVAHF8OItSjbpwTpdOToS7eBfJXAu:DBB7fb5DlqX2HF8OIgXp268S7eBfKu
Score

10^/10

asyncrat neshta patch discovery persistence rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratneshtapatchdiscoverypersistenceratspywarestealer

behavioral2

asyncratneshtapatchdiscoverypersistenceratspywarestealer