asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
Size

7.8MB
Sample

240702-nffadatenr
MD5

6474262f1aa80327912862eb9f816fa9
SHA1

b2fdabb371ea4a23adae02e3aa939b13c948c03b
SHA256

d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
SHA512

fbb8e81c8d87661899ee8b105a6065affcf7c2b53c6a9d5700b2030e1a63886aefb7d4875ebc837d91757d972767918037d50a7b5661257dd55ac9fdad388427
SSDEEP

98304:XTCadF2VfHNZO2ZoXYS185r8YRYUbMO1RnUEJXzPtPki6g7oayYHkqibu/0eBKR3:jc0MhC85r3uO1Z3JXLtPki63Kns/CY

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
- Size
  
  7.8MB
- MD5
  
  6474262f1aa80327912862eb9f816fa9
- SHA1
  
  b2fdabb371ea4a23adae02e3aa939b13c948c03b
- SHA256
  
  d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
- SHA512
  
  fbb8e81c8d87661899ee8b105a6065affcf7c2b53c6a9d5700b2030e1a63886aefb7d4875ebc837d91757d972767918037d50a7b5661257dd55ac9fdad388427
- SSDEEP
  
  98304:XTCadF2VfHNZO2ZoXYS185r8YRYUbMO1RnUEJXzPtPki6g7oayYHkqibu/0eBKR3:jc0MhC85r3uO1Z3JXLtPki63Kns/CY
Score

10^/10

asyncrat stormkitty default persistence pyinstaller rat stealer privilege_escalation spyware
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2