Statik Analiz — AsyncRAT | YÜKSEK | CVSS: 7.5

Dosya

SHA25652c7cb1b79652bb317c68fb4173010bbbf937ed09af679802622c5ccfb5e63eb
MD5e579f4f040e7d99ef57611b1df2bdee7
Dosya52c7cb1b79652bb317c68fb4173010bbbf937ed09af679802622c5ccfb5e63eb.exe
Boyut37,693,352 byte
TürPE32+ executable for MS Windows 6.00 (console), x86-64, 7 sections
Stringler215,730
PDB: C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb

Bölümler

AdEntropi
.text6.46
.rdata6.21
.data3.86
.pdata6.8
_RDATA2.91
.rsrc6.16
.reloc5.49

Import Tablosu

  • dbghelp.dll
  • WS2_32.dll
  • IPHLPAPI.DLL
  • PSAPI.DLL
  • USERENV.dll
  • ADVAPI32.dll
  • USER32.dll
  • CRYPT32.dll
  • bcrypt.dll
  • KERNEL32.dll
  • WINMM.dll

IOC

SHA25652c7cb1b79652bb317c68fb4173010bbbf937ed09af679802622c5ccfb5e63eb
MD5e579f4f040e7d99ef57611b1df2bdee7
IP8.1.5.1, 1.3.111.2, 15.1.3.4, 127.255.255.255, 1.3.36.3, 1.3.101.110, 1.3.14.3, 1.3.101.113
Domainwhatwg.org, invisible-island.net, github.com, genretrucklooksvalueframe.net, heap-refs.cc, nodejs.org, hooks.cc, sindresorhus.com
BTC1MutatorUnifiedHeapMarkingVisitor, 1MutatorMinorGCMarkingVisitor, 3333333333333333UUUUUUUUUUUUUUUU, 1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt, 1SuppressMicrotaskExecutionScope
MutexGetStdoutMutex, RecursiveMutex, 0RecursiveMutex, 0SharedMutex

AsyncRAT — Malware Profile

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Malware Type
RAT
Programming Language
.NET C#
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
AsyncClient

Technical Details

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Attribution / Threat Actor

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (31 indicators)

IOC — AsyncRAT
# 1MutatorUnifiedHeapMarkingVisitor # 1MutatorMinorGCMarkingVisitor # 3333333333333333UUUUUUUUUUUUUUUU # 1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt # 1SuppressMicrotaskExecutionScope # IP 8.1.5.1 # IP 1.3.111.2 # IP 15.1.3.4 # IP 127.255.255.255 # IP 1.3.36.3 # IP 1.3.101.110 # IP 1.3.14.3 # IP 1.3.101.113 # IP 1.101.3.4 # IP 2.5.8.3 # DOMAIN whatwg.org # DOMAIN invisible-island.net # DOMAIN github.com # DOMAIN genretrucklooksvalueframe.net # DOMAIN heap-refs.cc # DOMAIN nodejs.org # DOMAIN hooks.cc # DOMAIN sindresorhus.com # DOMAIN thing.org # DOMAIN people.in # MUTEX GetStdoutMutex # MUTEX RecursiveMutex # MUTEX 0RecursiveMutex # MUTEX 0SharedMutex # MUTEX QEAA_NPEAVMutex # FILEPATH C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb
TypeValueNote
1MutatorUnifiedHeapMarkingVisitor BTC
1MutatorMinorGCMarkingVisitor BTC
3333333333333333UUUUUUUUUUUUUUUU BTC
1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt BTC
1SuppressMicrotaskExecutionScope BTC
ip 8.1.5.1 C2 aday
ip 1.3.111.2 C2 aday
ip 15.1.3.4 C2 aday
ip 127.255.255.255 C2 aday
ip 1.3.36.3 C2 aday
ip 1.3.101.110 C2 aday
ip 1.3.14.3 C2 aday
ip 1.3.101.113 C2 aday
ip 1.101.3.4 C2 aday
ip 2.5.8.3 C2 aday
domain whatwg.org C2 domain
domain invisible-island.net C2 domain
domain github.com C2 domain
domain genretrucklooksvalueframe.net C2 domain
domain heap-refs.cc C2 domain
domain nodejs.org C2 domain
domain hooks.cc C2 domain
domain sindresorhus.com C2 domain
domain thing.org C2 domain
domain people.in C2 domain
mutex GetStdoutMutex Mutex
mutex RecursiveMutex Mutex
mutex 0RecursiveMutex Mutex
mutex 0SharedMutex Mutex
mutex QEAA_NPEAVMutex Mutex
filepath C:\Users\runneradmin\AppData\Local\Temp\pkg.24e0b2b2d51e47b9dba34c30\node\out\Release\node.pdb PDB

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
AsyncRATmalwarestatik-analizIOC