asyncrat | d99ad82984ea2c08a54a8c02393be47433c7636ad775fa1ceb8e7ecc9c2883e9 | Triage

Sharing

General

Target

d99ad82984ea2c08a54a8c02393be47433c7636ad775fa1ceb8e7ecc9c2883e9
Size

3.5MB
Sample

250415-yj82zawwft
MD5

9cb4cd18f0fee675253a3a8fc69e1a72
SHA1

d6d25e4531b331acfd6be7293c276ed2405d45fc
SHA256

d99ad82984ea2c08a54a8c02393be47433c7636ad775fa1ceb8e7ecc9c2883e9
SHA512

cc585c3f1f1cf3b4d6607c98c48f5a1f1f9672aa1ba1585b195523fbd56bb1fd676395031ece2997f18f1eaee67a87f1630b02d109c2270dbb29828a6864d94f
SSDEEP

98304:47DMJgByk5AWxj67q/na1XLN9nxDhMNvJ:oDMWBtAWJ67q/MXp9nbKJ

Score

10^/10

asyncrat default defense_evasion discovery rat themida trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

0.0.0.0:6606

0.0.0.0:7707

0.0.0.0:8808

194.59.30.194:6606

194.59.30.194:7707

194.59.30.194:8808

Mutex

06WcuDultPup

Attributes

delay
3
install
true
install_file
AdoptMePetCopy.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  d99ad82984ea2c08a54a8c02393be47433c7636ad775fa1ceb8e7ecc9c2883e9
- Size
  
  3.5MB
- MD5
  
  9cb4cd18f0fee675253a3a8fc69e1a72
- SHA1
  
  d6d25e4531b331acfd6be7293c276ed2405d45fc
- SHA256
  
  d99ad82984ea2c08a54a8c02393be47433c7636ad775fa1ceb8e7ecc9c2883e9
- SHA512
  
  cc585c3f1f1cf3b4d6607c98c48f5a1f1f9672aa1ba1585b195523fbd56bb1fd676395031ece2997f18f1eaee67a87f1630b02d109c2270dbb29828a6864d94f
- SSDEEP
  
  98304:47DMJgByk5AWxj67q/na1XLN9nxDhMNvJ:oDMWBtAWJ67q/MXp9nbKJ
Score

10^/10

asyncrat default defense_evasion discovery rat themida trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdefaultdefense_evasiondiscoveryratthemidatrojan

behavioral2

asyncratdefaultdefense_evasiondiscoveryratthemidatrojan