asyncrat

General

Target

epm_setup.exe
Size

45.9MB
Sample

211020-ee1p9ahedk
MD5

6021803b76b66d1ab76b94621f74ab0c
SHA1

077206a6c26f97e5e405a4461fc3b51dbdd55527
SHA256

cb77e8fcca7d092f32186a6cebd99f1d4e2a35b7ea95387af0699ccc8a8e759a
SHA512

79f58011a09719d72f60e93a2d7efadc918e5005ee32e29c10bb00e737231319cfe737b6db25a4944a43af6fb879818edccc24ac396b71666d95e6ce0358f8d2

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

pettbull.ddns.net:6606

pettbull.ddns.net:7707

pettbull.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

PRO21

C2

pettbull.ddns.net:4782

Mutex

23e7ca58-8298-4c9f-b276-3466dcf2cfc0

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
System32

Targets

- Target
  
  B3A5EDD96F0E9D42DA79564D4F9B8764CC52D07896A843F03FDC34C7CC23F338
- Size
  
  46.0MB
- MD5
  
  0821c3d4dee7db77d2b4fe56f242143f
- SHA1
  
  5238e22879987f3ed2d524eb147d1859f184957b
- SHA256
  
  b3a5edd96f0e9d42da79564d4f9b8764cc52d07896a843f03fdc34c7cc23f338
- SHA512
  
  567035148517e9feffe094e1bccb5a8d2561051249a81cb5cbc250440c5e42a079fb6dd896853794168e49cd1fead9e1067930367bd572dfc6f56a9ec7fb5ad6
Score

10^/10

asyncrat default discovery rat suricata quasar pro21 spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
  suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
  suricata
- suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata
- Async RAT payload
  rat
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Quasar Payload

Quasar RAT

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Async RAT payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2