API tools faq
paste
Advertisement
VRad

#ASyncRAT_260619

VRad
Jun 26th, 2019
3,545
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #ASyncRAT #RTF #11882 #schtasks
  2.  
  3. https://pastebin.com/ZZLkbeiH
  4.  
  5. FAQ:
  6. https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
  7. https://gitlab.com/thoxy/stealerlib
  8. https://sslbl.abuse.ch/ssl-certificates/sha1/798d6f8e469e73ceae4dbeda4cf17743e3c65f3a/
  9. https://seclists.org/snort/2019/q2/283
  10.  
  11. attack_vector
  12. --------------
  13. email attach .doc (RTF) > EQNEDT32 > GET > AppData\Roaming\SystemLT
  14.  
  15. email_headers
  16. --------------
  17. Return-Path: <info@limcologistics.com.ua>
  18. Received: from cirrus.binally.gr (cirrus.binally.gr [95.211.140.98])
  19. To: undisclosed-recipients:;
  20. Subject: Запит - червень / липень
  21. X-PHP-Originating-Script: 0:rcube.php
  22. Date: Wed, 26 Jun 2019 09:13:39 +0100
  23. From: info@limcologistics.com.ua
  24. X-Sender: info@limcologistics.com.ua
  25. User-Agent: Roundcube Webmail/1.1.9
  26.  
  27. files
  28. --------------
  29. SHA-256 cd2c2ec4dae718c538af12b8c35ef5771bafcb09187d57531829bbff7732a636
  30. File name Вложение без имени 005??.doc (таблиці.doc) [Rich Text Format data, version 1]
  31. File size 42.6 KB (43620 bytes)
  32.  
  33. SHA-256 8422021070373be11ea9c932fc8df8472faa0767af027c7c357c81741aeb68d5
  34. File name payroll[1].exe [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
  35. File size 204 KB (208896 bytes)
  36.  
  37. SHA-256 f6d0bab22f47f76d7db51c3d0472f60f6cecb514e3a16d625e4fa4022548bfb5
  38. File name SystemLT [PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows]
  39. File size 530.57 KB (543304 bytes)
  40.  
  41. activity
  42. **************
  43. (!)
  44. schtasks.exe /create /sc minute /mo 1 /tn SystemLT /tr C:\Users\operator\AppData\Roaming\SystemLT
  45.  
  46. C2 185.247.228.69 kingtexs-tvv[.] com [AsyncRAT Server CA0]
  47.  
  48. netwrk
  49. --------------
  50. [ssl]
  51. 104.27.142.252 m.put[.] re Client Hello
  52. 104.18.48.20 paste[.] ee Client Hello
  53.  
  54. comp
  55. --------------
  56. EQNEDT32.EXE 2800 TCP localhost 49232 104.27.143.252 443 ESTABLISHED
  57.  
  58. SystemLT 1744 TCP localhost 49235 104.18.49.20 443 ESTABLISHED
  59.  
  60. proc
  61. --------------
  62. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  63.  
  64. [another context]
  65.  
  66. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  67. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"
  68. C:\Users\operator\AppData\Roaming\404625.exe
  69. C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn SystemLT /tr C:\Users\operator\AppData\Roaming\SystemLT
  70.  
  71. [another context]
  72.  
  73. C:\Windows\system32\taskeng.exe taskeng.exe {3C8F9EDA-746D-4EED-B74B-ABF7D5A44361} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  74. C:\Users\operator\AppData\Roaming\SystemLT
  75.  
  76. persist
  77. --------------
  78. Task Scheduler
  79. \SystemLT Microsoft Corporation 5.8.9428.42177(win7sp1_rtm.101119-1850)
  80. c:\users\operator\appdata\roaming\systemlt 26.06.2019 6:08
  81.  
  82. drop
  83. --------------
  84. C:\tmp\Temporary Internet Files\Content.IE5\F5G962KA\payroll[1].exe
  85. C:\Users\operator\AppData\Roaming\404625.exe
  86. C:\Users\operator\AppData\Roaming\SystemLT
  87.  
  88. # # #
  89. https://www.virustotal.com/gui/file/cd2c2ec4dae718c538af12b8c35ef5771bafcb09187d57531829bbff7732a636/details
  90. https://www.virustotal.com/gui/file/8422021070373be11ea9c932fc8df8472faa0767af027c7c357c81741aeb68d5/details
  91. https://analyze.intezer.com/#/analyses/12569fca-c698-4ead-b472-81c7f2bd2545
  92. https://www.virustotal.com/gui/file/f6d0bab22f47f76d7db51c3d0472f60f6cecb514e3a16d625e4fa4022548bfb5/details
  93. https://analyze.intezer.com/#/analyses/f033a0e3-bd36-416e-bca6-1562703b98c8
  94.  
  95. VR
  96.  
  97. passwd_stealing_capabilities
  98. --------------
  99. For now it support :
  100. Chrome (Chrome, Chromium, Opera, Vivaldi, Brave, Torch, Comodo, Xpom, Orbitum, Kometa, Amigo and Nichrome) ²
  101. Firefox ²
  102. IE10 / Edge
  103.  
  104. YARA Rule for C2 communication
  105. --------------
  106. # --------------------
  107. # Title: Win.Trojan.ASync RAT
  108. # Reference: Research
  109. # Tests: pcaps
  110. # Yara:
  111. # - MALWARE_Win_Trojan_AsyncRAT
  112. # ClamAV:
  113. # - MALWARE_Win.Trojan.AsyncRAT
  114. # Hashes:
  115. # - 818fa711c47af91faede1311d5a0ef60410899358cce18ce98aa22e412d1626d
  116. # Note:
  117. # - AsyncRAT Version: 0.4.9B
  118. # - ssl_state:server_hello may not work, so it is removed from the Snort rule.
  119. # - Packed with AutoIt.
  120. # - Snort signature does not cover non-SSL variants.
  121. # - Exisitng Yara/ClamAV signature hits:
  122. # 1. INDICATOR_Binary_References_Sandbox_Hooking_DLL
  123. # 2. INDICATOR_Binary_References_Many_Builtin_Windows_Executables
  124. # 3. INDICATOR_Binary_References_Disabling_Windows_Defender_PWSH_Aritfacts
  125.  
  126. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Async RAT variant SSL certificate exchange";
  127. flow:to_client,established; content:"|55 04 03 0C 12|AsyncRAT Server CA"; fast_pattern:only; metadata:ruleset
  128. community, service ssl; classtype:trojan-activity; sid:8000660; rev:1;)
  129.  
  130. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!