General
-
Target
tmp
-
Size
88KB
-
Sample
220721-hx4fmseacn
-
MD5
d54251187d34bf23efbd1aeb8863fa80
-
SHA1
6d89ec633bf1fc506ba796846f1e108543b85756
-
SHA256
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
-
SHA512
f3aa291302719ee8306cdaec43162e36c29a56a32ed3f78c081573a0a70dc22ad1ccdd8cdc74d9dfcd56f7fc41c0d149653b568bb771e65fa1a22e9c06979236
Malware Config
Extracted
asyncrat
1.0.7
Default
widda1.ddns.net:8848
widda1.ddns.net:8828
widda1.ddns.net:22
windda.ddns.net:8848
windda.ddns.net:8828
windda.ddns.net:22
runam.ddns.net:8848
runam.ddns.net:8828
runam.ddns.net:22
winam.ddns.net:8848
winam.ddns.net:8828
winam.ddns.net:22
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Targets
-
-
Target
tmp
-
Size
88KB
-
MD5
d54251187d34bf23efbd1aeb8863fa80
-
SHA1
6d89ec633bf1fc506ba796846f1e108543b85756
-
SHA256
e103c29f6e8365d4ca9f843839556faadbb907060dbd711fa3119fe12944a635
-
SHA512
f3aa291302719ee8306cdaec43162e36c29a56a32ed3f78c081573a0a70dc22ad1ccdd8cdc74d9dfcd56f7fc41c0d149653b568bb771e65fa1a22e9c06979236
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Neshta payload
-
Modifies Windows Defender Real-time Protection settings
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-