General
-
Target
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7
-
Size
47KB
-
Sample
230306-2a315sfb39
-
MD5
4df29d7678c4533be7a9ad05e4bf752a
-
SHA1
c6ee50bf6f5a8525e73b8394e6646de4b56c0deb
-
SHA256
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7
-
SHA512
52861a3bf99ad4be25003952b7802a6f47aea7b335321f2d041426edbfafd84d3f9ef971726214ffd43c737ff7360aa5e1fa595fc3cfbfef1761cb045ac21744
-
SSDEEP
768:aueq1TFBA3VWU1+fhcvmo2qjwU3dmPIwMbhEe0blghZx6Ue7sbKoRTG72BDZ8x:aueq1TFm92m3dPwM9SblghZ4s6Yd8x
Malware Config
Extracted
asyncrat
0.5.7B
PI-004-A
172.104.148.228:6606
fusioncore32023.hopto.org:6606
fusioncore_was_here
-
delay
3
-
install
true
-
install_file
WindowsSettingsHelper.exe
-
install_folder
%AppData%
Extracted
quasar
1.3.0.0
Office04
172.104.148.228:6543
QSR_MUTEX_9URkjHbkkxjQwDXSLD
-
encryption_key
EZAOSqk4R6oufxKJ5VTU
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Security Updater
-
subdirectory
SubDir
Extracted
asyncrat
AsyncRAT-Sharp X SiphonFilter 0.5.8B
VERSION 3
ndospjn.ddns.net:4563
SDFSSDFSFSFS()YERSFdaDSWGHIUHERGBIE()RYHEIRUYGBEIRUGYREIUGERGERG
-
delay
3
-
install
true
-
install_file
dmpF4GD3.tmp.scr.exe
-
install_folder
%Temp%
Extracted
blacknet
v3.7.0 Public
94qG4s
http://apiv2.3utilities.com/BLACKNETLETSGO
BN[]
-
antivm
true
-
elevate_uac
false
-
install_name
svchost.exe
-
splitter
|BN|
-
start_name
dda1b105bd6ab4ab1ba2c6f9c1bb8283
-
startup
true
-
usb_spread
false
Extracted
asyncrat
0.0.1A
Default
ndospjn.ddns.net:7533
DSFGSSGOIUHROEIBoiEb3
-
delay
3
-
install
true
-
install_file
DFSOIUFDOIUFDES.TMP.exe
-
install_folder
%Temp%
Targets
-
-
Target
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7
-
Size
47KB
-
MD5
4df29d7678c4533be7a9ad05e4bf752a
-
SHA1
c6ee50bf6f5a8525e73b8394e6646de4b56c0deb
-
SHA256
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7
-
SHA512
52861a3bf99ad4be25003952b7802a6f47aea7b335321f2d041426edbfafd84d3f9ef971726214ffd43c737ff7360aa5e1fa595fc3cfbfef1761cb045ac21744
-
SSDEEP
768:aueq1TFBA3VWU1+fhcvmo2qjwU3dmPIwMbhEe0blghZx6Ue7sbKoRTG72BDZ8x:aueq1TFm92m3dPwM9SblghZ4s6Yd8x
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
XMRig Miner payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-