General
-
Target
epm_setup.exe
-
Size
45.9MB
-
Sample
211020-ekae9agef4
-
MD5
6021803b76b66d1ab76b94621f74ab0c
-
SHA1
077206a6c26f97e5e405a4461fc3b51dbdd55527
-
SHA256
cb77e8fcca7d092f32186a6cebd99f1d4e2a35b7ea95387af0699ccc8a8e759a
-
SHA512
79f58011a09719d72f60e93a2d7efadc918e5005ee32e29c10bb00e737231319cfe737b6db25a4944a43af6fb879818edccc24ac396b71666d95e6ce0358f8d2
Static task
static1
Behavioral task
behavioral1
Sample
B3A5EDD96F0E9D42DA79564D4F9B8764CC52D07896A843F03FDC34C7CC23F338.exe
Resource
win7-en-20210920
Malware Config
Extracted
asyncrat
0.5.7B
Default
pettbull.ddns.net:6606
pettbull.ddns.net:7707
pettbull.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Extracted
quasar
1.4.0
PRO21
pettbull.ddns.net:4782
23e7ca58-8298-4c9f-b276-3466dcf2cfc0
-
encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
-
install_name
Windows Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Windows
-
subdirectory
System32
Targets
-
-
Target
B3A5EDD96F0E9D42DA79564D4F9B8764CC52D07896A843F03FDC34C7CC23F338
-
Size
46.0MB
-
MD5
0821c3d4dee7db77d2b4fe56f242143f
-
SHA1
5238e22879987f3ed2d524eb147d1859f184957b
-
SHA256
b3a5edd96f0e9d42da79564d4f9b8764cc52d07896a843f03fdc34c7cc23f338
-
SHA512
567035148517e9feffe094e1bccb5a8d2561051249a81cb5cbc250440c5e42a079fb6dd896853794168e49cd1fead9e1067930367bd572dfc6f56a9ec7fb5ad6
-
Quasar Payload
-
Async RAT payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-