Manuel Statik Analiz — AsyncRAT | Tehdit: YÜKSEK | CVSS: 7.5

Dosya Kimliği

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
Dosya Adı45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5.exe
Boyut33,726,096 byte (32935 KB)
TürPE32+ executable for MS Windows 6.00 (GUI), x86-64, 7 sections
String Sayısı56,560

PE Bölümleri

BölümV.SizeEntropi
.text181,8246.47
.rdata81,2885.75
.data19,1841.82
.pdata9,5645.47
.fptable2560.0
.rsrc271,9321.6
.reloc1,8965.25

Import Tablosu

  • USER32.dll
  • CreateWindowExW
  • ShutdownBlockReasonCreate
  • MsgWaitForMultipleObjects
  • ShowWindow
  • DestroyWindow
  • COMCTL32.dll
  • KERNEL32.dll
  • GetACP
  • IsValidCodePage
  • GetStringTypeW
  • GetFileAttributesExW
  • SetEnvironmentVariableW
  • ADVAPI32.dll
  • OpenProcessToken
  • GetTokenInformation
  • ConvertStringSecurityDescriptorToSecurityDescriptorW
  • ConvertSidToStringSidW
  • GDI32.dll
  • SelectObject

IOC

SHA25645a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
MD5f509347c30d44b7056dff8021bad954d
IP Adresleri6.0.0.0, 3.4.1.7
Domaincrypto.io, selftest.io, microsoft.com
MutexTcl_MutexLock, end-of-block, Tcl_MutexUnlock
C2 Adaycrypto.io, microsoft.com

AsyncRAT — Malware Profile

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Malware Type
RAT
Programming Language
.NET C#
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
AsyncClient

Technical Details

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Attribution / Threat Actor

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (10 indicators)

IOC — AsyncRAT
# SHA256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5 # MD5 f509347c30d44b7056dff8021bad954d # IP 6.0.0.0 # IP 3.4.1.7 # DOMAIN crypto.io # DOMAIN selftest.io # DOMAIN microsoft.com # MUTEX Tcl_MutexLock # MUTEX end-of-block # MUTEX Tcl_MutexUnlock
TypeValueNote
sha256 45a576381409b82fb40689b7ddfa0b7ab3fe774e81d4a2da9a98435a2f2207a5
md5 f509347c30d44b7056dff8021bad954d
ip 6.0.0.0 C2 aday
ip 3.4.1.7 C2 aday
domain crypto.io C2 domain
domain selftest.io C2 domain
domain microsoft.com C2 domain
mutex Tcl_MutexLock Mutex
mutex end-of-block Mutex
mutex Tcl_MutexUnlock Mutex

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
AsyncRATmalwarestatik-analizIOC