asyncrat | AsyncClient[.]exe | Triage

Sharing

General

Target

AsyncClient.exe
Size

88KB
MD5

253a8c072df4c5a81da1c88eb2378ac1
SHA1

9cac2c633ff7fc9da16593b92db269ca38082b32
SHA256

bc5d0c784ccc8c455b30a7c793511e4d702d00f4f8003da5f603c0b4ace22c9a
SHA512

19ef5c01ffe342f941fb7934a95083bdd2940646ebb374f3e2a75f8bad25c38ef9a271abe33cc02ae32cbf74c97f4912ed185f291e42e8dc635e849cdddff202
SSDEEP

1536:xu6BdTAur2yobJzdF4ym4bTFTzGQrI5byDJdSfCPw4:xu6PTAur2yobJzdF4v4bTtzLk5ODJ8fu

Score

10^/10

rat default asyncrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

WarpDancer

Attributes

delay
3
install
true
install_file
Zirael.exe
install_folder
%Temp%
pastebin_config
httphs://pastebin.com/raw/s14cUU5G

aes.plain

Signatures

Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

sample family_asyncrat
Asyncrat family
asyncrat
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

AsyncClient.exe

Files

AsyncClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ