General
-
Target
kk.bat
-
Size
182KB
-
Sample
230209-rzzpxafh6x
-
MD5
df4da1ecd4c50871a1c4315f571e4402
-
SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865
-
SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
-
SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e
-
SSDEEP
3072:ur2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYE:BRiltZITy8ufjLQsBUlgeMYE
Static task
static1
Behavioral task
behavioral1
Sample
kk.bat
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
kk.bat
Resource
win7-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
207.244.236.205:6606
207.244.236.205:7707
207.244.236.205:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0
Office04
quasharr.ddns.net:4782
quasharr21.ddns.net:4782
quasharr22.ddns.net:4782
quasharr33.ddns.net:4782
1f1a8604-757c-4251-9294-1b6985c3c1c7
-
encryption_key
2D1A3994D3C8E5C6071E7048589030F3E389DDC7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows
-
subdirectory
SubDir
Targets
-
-
Target
kk.bat
-
Size
182KB
-
MD5
df4da1ecd4c50871a1c4315f571e4402
-
SHA1
1dbbe9b3784cf5ecdd08b27132a7e31588954865
-
SHA256
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
-
SHA512
5f9e47f865c48cb1f2070d5d393a5d3494074bfe2347e07c988d06c8244dd420181c210a8ebdd54f768a64a5906d0c9e3be271d44f6e5bd32991bc2cacf85d3e
-
SSDEEP
3072:ur2RTVYk0bjRtZLlnm6Gdk8vZQfjO8KifQ6vfegRI8mlgJJ4u6A0FzfghYE:BRiltZITy8ufjLQsBUlgeMYE
-
Quasar payload
-
Async RAT payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-