asyncrat

General

Target

BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
Size

584KB
Sample

221101-mq4kaaahg7
MD5

8553f9793539d4d17c13e464d606d7dc
SHA1

a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256

bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA512

2d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
SSDEEP

6144:LHns2eIXWxewKi/i/iHBW0LM7Sx2R1i0t03ugcHg4TU48YMizi:LH4x4KKABW0g2x6/t2S/UfYM4

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

Ratatouille 0.1.0

Botnet

Youtube

C2

179.43.187.19:33

179.43.187.19:2525

179.43.187.19:4523

179.43.187.19:5555

Mutex

sdhgamkfgae4-youtube

Attributes

delay
3
install
true
install_file
$77-update.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

cheat

C2

179.43.187.19:18875

Extracted

Family

quasar

Version

1.4.0

Botnet

r77Version

C2

179.43.187.19:2326

Mutex

d6db683c-9b85-4417-b1a3-4ff8bec1d98b

Attributes

encryption_key
83FE26AAD844F101036726AFCD7F28CF377D20AF
install_name
$77Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77Client
subdirectory
$77win

Targets

- Target
  
  BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
- Size
  
  584KB
- MD5
  
  8553f9793539d4d17c13e464d606d7dc
- SHA1
  
  a033d05b0c0a5b220fde15827b5c716fbec3b398
- SHA256
  
  bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
- SHA512
  
  2d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
- SSDEEP
  
  6144:LHns2eIXWxewKi/i/iHBW0LM7Sx2R1i0t03ugcHg4TU48YMizi:LH4x4KKABW0g2x6/t2S/UfYM4
Score

10^/10

asyncrat quasar redline cheat r77version youtube evasion infostealer rat spyware stealer trojan discovery
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2