asyncrat

General

Target

gitadmincry.exe
Size

582KB
Sample

230120-yjne9sbe6s
MD5

7fc99168d3d3c1bcbdf46a322ea3adef
SHA1

6218d1212f5c4e40f8aa7211dbe828a65117119f
SHA256

79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432
SHA512

97245e5dc9eade3ff198e3d77cddf71cb1157c1179ffa9fd7f06ad15c7f843077c83c7e7537dc61789781350baaac916c6c5b35557d441dceef0ab4a5c60c97c
SSDEEP

6144:+7/s2WI4WxewKi/i/iLx+W8kf34BohmNjg+jXo15vZb6LPwXRklnXibi:+vx8KK2UW39mKnVWaAQ

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

Ratatouille 0.1.0

Botnet

Github

C2

179.43.187.19:33

179.43.187.19:2525

179.43.187.19:4523

179.43.187.19:5555

Mutex

sdhgamkfgae4-github

Attributes

delay
3
install
true
install_file
$77-update.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

cheat

C2

179.43.187.19:18875

Extracted

Family

quasar

Version

1.4.0

Botnet

r77Version

C2

179.43.187.19:2326

Mutex

d6db683c-9b85-4417-b1a3-4ff8bec1d98b

Attributes

encryption_key
83FE26AAD844F101036726AFCD7F28CF377D20AF
install_name
$77Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77Client
subdirectory
$77win

Targets

- Target
  
  gitadmincry.exe
- Size
  
  582KB
- MD5
  
  7fc99168d3d3c1bcbdf46a322ea3adef
- SHA1
  
  6218d1212f5c4e40f8aa7211dbe828a65117119f
- SHA256
  
  79d5d50575d3e18ebea2cd8ce8fdc0e9e58cc151e3ae72207991068b587d6432
- SHA512
  
  97245e5dc9eade3ff198e3d77cddf71cb1157c1179ffa9fd7f06ad15c7f843077c83c7e7537dc61789781350baaac916c6c5b35557d441dceef0ab4a5c60c97c
- SSDEEP
  
  6144:+7/s2WI4WxewKi/i/iLx+W8kf34BohmNjg+jXo15vZb6LPwXRklnXibi:+vx8KK2UW39mKnVWaAQ
Score

10^/10

asyncrat quasar redline cheat github r77version discovery evasion infostealer rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2