Manuel Statik Analiz — AsyncRAT | Tehdit: ALTO | CVSS: 7.5

Arquivo Kimliği

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
Nome do arquivo45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5.exe
Tamanho33,726,096 byte (32935 KB)
TipoPE32+ executable for MS Windows 6.00 (GUI), x86-64, 7 sections
String Sayısı56,560

PE Bölümleri

BölümV.SizeEntropi
.text181,8246.47
.rdata81,2885.75
.data19,1841.82
.pdata9,5645.47
.fptable2560.0
.rsrc271,9321.6
.reloc1,8965.25

Import Tablosu

  • USER32.dll
  • CreateWindowExW
  • ShutdownBlockReasonCreate
  • MsgWaitForMultipleObjects
  • ShowWindow
  • DestroyWindow
  • COMCTL32.dll
  • KERNEL32.dll
  • GetACP
  • IsValidCodePage
  • GetStringTypeW
  • GetFileAttributesExW
  • SetEnvironmentVariableW
  • ADVAPI32.dll
  • OpenProcessToken
  • GetTokenInformation
  • ConvertStringSecurityDescriptorToSecurityDescriptorW
  • ConvertSidToStringSidW
  • GDI32.dll
  • SelectObject

IOC

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
IP Adresleri6.0.0.0, 3.4.1.7
Domaincrypto.io, selftest.io, microsoft.com
MutexTcl_MutexLock, end-of-block, Tcl_MutexUnlock
C2 Adaycrypto.io, microsoft.com

AsyncRAT — Perfil do malware

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Tipo de malware
RAT
Linguagem de programação
.NET C#
Protocolo C2
TCP/SSL
Sistemas-alvo
Windows
Também conhecido como (AKA)
AsyncClient

Detalhes técnicos

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Atribuição / Ator da ameaça

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Capacidades e comportamento

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Lista IOC (10 indicadores)

IOC — AsyncRAT
# SHA256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5 # MD5 f509347c30d44b7056dff8021bad954d # IP 6.0.0.0 # IP 3.4.1.7 # DOMAIN crypto.io # DOMAIN selftest.io # DOMAIN microsoft.com # MUTEX Tcl_MutexLock # MUTEX end-of-block # MUTEX Tcl_MutexUnlock
TipoValorNota
sha256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
md5 f509347c30d44b7056dff8021bad954d
ip 6.0.0.0 C2 aday
ip 3.4.1.7 C2 aday
domain crypto.io C2 domain
domain selftest.io C2 domain
domain microsoft.com C2 domain
mutex Tcl_MutexLock Mutex
mutex end-of-block Mutex
mutex Tcl_MutexUnlock Mutex

Servidores C2 (8 servidores registrados para esta família)

Endereço Tipo Porta Protocolo Status País
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

Os endereços C2 são fornecidos apenas a partir de amostras de malware verificadas manualmente pela equipe KEYDAL. O uso comercial é proibido.

Tags
AsyncRATmalwarestatik-analizIOC