asyncrat | 14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c | Triage

Submit
Reports

Overview

overview

Static

static

3

SolaraBoot...er.exe

windows7-x64

3

SolaraBoot...er.exe

windows10-2004-x64

Resubmissions

01-07-2024 16:01

240701-tf782ssbqj 3

01-07-2024 05:48

240701-ghphhaxfmh 10

Sharing

General

Target

SolaraBootstrapper.exe
Size

13KB
Sample

240701-ghphhaxfmh
MD5

8be476fb431fcf11156417f410acf978
SHA1

55a19def82358ffc006487e1f49be04277e12bd5
SHA256

14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
SHA512

cf747947ff0bedf87230e0fa08ee534f44f08962a52ae3dd0c0d734d6f4131456a0e2dc1ac230fa6500d5b254a64cae9e01161d1a690e26794c38d66e22cb5ed
SSDEEP

192:IUxOQrGVa/nHU0LgJ2jaVb4+LHdrDXy3pifUJ1hHxrWjd:hIQaVafU0LmqaVb4+xPy5ifU1hRyj

Score

10^/10

asyncrat solarafake evasion execution rat spyware stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SolaraBootstrapper.exe

Resource

win7-20240611-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

SolaraBootstrapper.exe

Resource

win10v2004-20240611-en

asyncrat solarafake evasion execution rat spyware stealer themida trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Targets

- Target
  
  SolaraBootstrapper.exe
- Size
  
  13KB
- MD5
  
  8be476fb431fcf11156417f410acf978
- SHA1
  
  55a19def82358ffc006487e1f49be04277e12bd5
- SHA256
  
  14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
- SHA512
  
  cf747947ff0bedf87230e0fa08ee534f44f08962a52ae3dd0c0d734d6f4131456a0e2dc1ac230fa6500d5b254a64cae9e01161d1a690e26794c38d66e22cb5ed
- SSDEEP
  
  192:IUxOQrGVa/nHU0LgJ2jaVb4+LHdrDXy3pifUJ1hHxrWjd:hIQaVafU0LmqaVb4+xPy5ifU1hRyj
Score

10^/10

asyncrat solarafake evasion execution rat spyware stealer themida trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

asyncratsolarafakeevasionexecutionratspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy