Statik Analiz — AsyncRAT | HOCH | CVSS: 7.5

Datei

SHA256219cd46593951e1102f98f4831d2fe3627ea9143b2a9ade0560c21eab0b5af97
MD50c0af6b41100c5ca48a5c731d556c6d0
Datei219cd46593951e1102f98f4831d2fe3627ea9143b2a9ade0560c21eab0b5af97.exe
Größe3,267,072 byte
TypPE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections
Stringler15,517

Bölümler

AdEntropi
.text6.08
.rsrc4.78
.reloc0.1

Import Tablosu

  • mscoree.dll

IOC

SHA256219cd46593951e1102f98f4831d2fe3627ea9143b2a9ade0560c21eab0b5af97
MD50c0af6b41100c5ca48a5c731d556c6d0
IP6.0.0.0, 4.0.0.0, 5.6.130.0, 15.0.0.0, 1.4.1.0, 15.8.0.0, 1.0.0.0, 1.9.0.0
Domainsystem.io, system.net, common.io, crypto.io, microsoft.com, utilities.io, utilities.net
MutexReleaseMutex
C2system.io, system.net, common.io, crypto.io, microsoft.com

AsyncRAT — Malware-Profil

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Malware-Typ
RAT
Programmiersprache
.NET C#
C2-Protokoll
TCP/SSL
Zielsysteme
Windows
Auch bekannt als (AKA)
AsyncClient

Technische Details

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Attribution / Bedrohungsakteur

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Fähigkeiten & Verhalten

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC-Liste (17 Indikatoren)

IOC — AsyncRAT
# IP 6.0.0.0 # IP 4.0.0.0 # IP 5.6.130.0 # IP 15.0.0.0 # IP 1.4.1.0 # IP 15.8.0.0 # IP 1.0.0.0 # IP 1.9.0.0 # IP 2.4.0.0 # DOMAIN system.io # DOMAIN system.net # DOMAIN common.io # DOMAIN crypto.io # DOMAIN microsoft.com # DOMAIN utilities.io # DOMAIN utilities.net # MUTEX ReleaseMutex
TypWertBemerkung
ip 6.0.0.0 C2 aday
ip 4.0.0.0 C2 aday
ip 5.6.130.0 C2 aday
ip 15.0.0.0 C2 aday
ip 1.4.1.0 C2 aday
ip 15.8.0.0 C2 aday
ip 1.0.0.0 C2 aday
ip 1.9.0.0 C2 aday
ip 2.4.0.0 C2 aday
domain system.io C2 domain
domain system.net C2 domain
domain common.io C2 domain
domain crypto.io C2 domain
domain microsoft.com C2 domain
domain utilities.io C2 domain
domain utilities.net C2 domain
mutex ReleaseMutex Mutex

C2-Server (8 erfasste Server für diese Familie)

Adresse Typ Port Protokoll Status Land
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.

Tags
AsyncRATmalwarestatik-analizIOC