asyncrat | f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af | Triage

Sharing

General

Target

f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af
Size

3.1MB
Sample

250417-x1hexaztdw
MD5

140f3d3e62eec69edafd3ff855ef3bf7
SHA1

155e413504169fe58e418c545c48fe3254a91ae5
SHA256

f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af
SHA512

4ba11cc149a6795e2abc1f8a5f593d48437205e8360b989c6ba05033f41a9271339a541b8d763da4a95b4d5b8967cb8db5bf74e71754741fa93228f7a6b50513
SSDEEP

49152:yaBI3hJnoRWOhPqcNHwTIgsLWF8lv9Xeh5Lvqg7ESHPG+c8+SEGQEx:7BKJOW8NmDWlvgh5LvuSuNTSEGPx

Score

10^/10

asyncrat darkcomet new-pure-2025-apr-444 null discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

New-pure-2025-apr-444

C2

klarkgabi.zapto.org:37223

Mutex

DC_MUTEX-B6EB1ZG

Attributes

InstallPath
calc.exe
gencode
EMfVQBDB7LEd
install
true
offline_keylogger
true
password
hhhhhh
persistence
false
reg_key
wincalc

rc4.plain

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

klarkgabi.zapto.org:9907

Mutex

servnew7888

Attributes

delay
5
install
false
install_file
winplay.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af
- Size
  
  3.1MB
- MD5
  
  140f3d3e62eec69edafd3ff855ef3bf7
- SHA1
  
  155e413504169fe58e418c545c48fe3254a91ae5
- SHA256
  
  f0adb709ba8e38ae71df5ff83d9fe814f4546ea2f2bf14c0847bc6b4742fa2af
- SHA512
  
  4ba11cc149a6795e2abc1f8a5f593d48437205e8360b989c6ba05033f41a9271339a541b8d763da4a95b4d5b8967cb8db5bf74e71754741fa93228f7a6b50513
- SSDEEP
  
  49152:yaBI3hJnoRWOhPqcNHwTIgsLWF8lv9Xeh5Lvqg7ESHPG+c8+SEGQEx:7BKJOW8NmDWlvgh5LvuSuNTSEGPx
Score

10^/10

asyncrat darkcomet new-pure-2025-apr-444 null discovery persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratdarkcometnew-pure-2025-apr-444nulldiscoverypersistencerattrojan

behavioral2

asyncratdarkcometnew-pure-2025-apr-444nulldiscoverypersistencerattrojan