General
-
Target
1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb
-
Size
1.3MB
-
Sample
230508-3lbayadc54
-
MD5
47c37998c84eaf77482af353eaba2de5
-
SHA1
8d1579bad6debe8e4624adc4be73acdef6ee6345
-
SHA256
1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb
-
SHA512
dcaf3f385caf0e81761e909ecbc6bc6f569d7c3708bfd5b764035aa89be05eb3995f9ea2fe7dca3162ecb755390b54ce852a0d8cc9c75af47144d45a53e46fe9
-
SSDEEP
24576:yMdFXdYeUwNNeywJmpfcdr+2LaZBxWG8nb+CyJUCr:yM7KeUwxp
Behavioral task
behavioral1
Sample
1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb.exe
Resource
win7-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
rwxbewqtbkpqpnbb
Extracted
asyncrat
0.5.7B
Default
jamiekarvans.duckdns.org:10000
AsyncMutex_6easdeef
-
delay
3
-
install
true
-
install_file
kmplayer64.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.0
NewEra
jamiekarvans.duckdns.org:10000
d53c1ec1-0419-49be-ba5b-4d9ee3127d55
-
encryption_key
5D2C1D0FD9A0712AF2B5B247A2309DC0B2FCDB3D
-
install_name
taskhostw.exe
-
log_directory
Subtitle
-
reconnect_delay
30
-
startup_key
taskhostw
-
subdirectory
SubtitleDirect
Targets
-
-
Target
1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb
-
Size
1.3MB
-
MD5
47c37998c84eaf77482af353eaba2de5
-
SHA1
8d1579bad6debe8e4624adc4be73acdef6ee6345
-
SHA256
1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb
-
SHA512
dcaf3f385caf0e81761e909ecbc6bc6f569d7c3708bfd5b764035aa89be05eb3995f9ea2fe7dca3162ecb755390b54ce852a0d8cc9c75af47144d45a53e46fe9
-
SSDEEP
24576:yMdFXdYeUwNNeywJmpfcdr+2LaZBxWG8nb+CyJUCr:yM7KeUwxp
-
Quasar payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-