Manuel Statik Analiz — AsyncRAT | Tehdit: ÉLEVÉ | CVSS: 7.5

Fichier Kimliği

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
Nom du fichier45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5.exe
Taille33,726,096 byte (32935 KB)
TypePE32+ executable for MS Windows 6.00 (GUI), x86-64, 7 sections
String Sayısı56,560

PE Bölümleri

BölümV.SizeEntropi
.text181,8246.47
.rdata81,2885.75
.data19,1841.82
.pdata9,5645.47
.fptable2560.0
.rsrc271,9321.6
.reloc1,8965.25

Import Tablosu

  • USER32.dll
  • CreateWindowExW
  • ShutdownBlockReasonCreate
  • MsgWaitForMultipleObjects
  • ShowWindow
  • DestroyWindow
  • COMCTL32.dll
  • KERNEL32.dll
  • GetACP
  • IsValidCodePage
  • GetStringTypeW
  • GetFileAttributesExW
  • SetEnvironmentVariableW
  • ADVAPI32.dll
  • OpenProcessToken
  • GetTokenInformation
  • ConvertStringSecurityDescriptorToSecurityDescriptorW
  • ConvertSidToStringSidW
  • GDI32.dll
  • SelectObject

IOC

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
IP Adresleri6.0.0.0, 3.4.1.7
Domaincrypto.io, selftest.io, microsoft.com
MutexTcl_MutexLock, end-of-block, Tcl_MutexUnlock
C2 Adaycrypto.io, microsoft.com

AsyncRAT — Profil du malware

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Type de malware
RAT
Langage de programmation
.NET C#
Protocole C2
TCP/SSL
Systèmes ciblés
Windows
Aussi connu sous (AKA)
AsyncClient

Détails techniques

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Attribution / Acteur de la menace

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Capacités et comportement

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Liste IOC (10 indicateurs)

IOC — AsyncRAT
# SHA256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5 # MD5 f509347c30d44b7056dff8021bad954d # IP 6.0.0.0 # IP 3.4.1.7 # DOMAIN crypto.io # DOMAIN selftest.io # DOMAIN microsoft.com # MUTEX Tcl_MutexLock # MUTEX end-of-block # MUTEX Tcl_MutexUnlock
TypeValeurNote
sha256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
md5 f509347c30d44b7056dff8021bad954d
ip 6.0.0.0 C2 aday
ip 3.4.1.7 C2 aday
domain crypto.io C2 domain
domain selftest.io C2 domain
domain microsoft.com C2 domain
mutex Tcl_MutexLock Mutex
mutex end-of-block Mutex
mutex Tcl_MutexUnlock Mutex

Serveurs C2 (8 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
AsyncRATmalwarestatik-analizIOC