General

  • Target

    1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb

  • Size

    1.3MB

  • Sample

    230508-3lbayadc54

  • MD5

    47c37998c84eaf77482af353eaba2de5

  • SHA1

    8d1579bad6debe8e4624adc4be73acdef6ee6345

  • SHA256

    1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb

  • SHA512

    dcaf3f385caf0e81761e909ecbc6bc6f569d7c3708bfd5b764035aa89be05eb3995f9ea2fe7dca3162ecb755390b54ce852a0d8cc9c75af47144d45a53e46fe9

  • SSDEEP

    24576:yMdFXdYeUwNNeywJmpfcdr+2LaZBxWG8nb+CyJUCr:yM7KeUwxp

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    rwxbewqtbkpqpnbb

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

jamiekarvans.duckdns.org:10000

Mutex

AsyncMutex_6easdeef

Attributes
  • delay

    3

  • install

    true

  • install_file

    kmplayer64.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

NewEra

C2

jamiekarvans.duckdns.org:10000

Mutex

d53c1ec1-0419-49be-ba5b-4d9ee3127d55

Attributes
  • encryption_key

    5D2C1D0FD9A0712AF2B5B247A2309DC0B2FCDB3D

  • install_name

    taskhostw.exe

  • log_directory

    Subtitle

  • reconnect_delay

    30

  • startup_key

    taskhostw

  • subdirectory

    SubtitleDirect

Targets

    • Target

      1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb

    • Size

      1.3MB

    • MD5

      47c37998c84eaf77482af353eaba2de5

    • SHA1

      8d1579bad6debe8e4624adc4be73acdef6ee6345

    • SHA256

      1d603f40cb63b0d31f644d2e426fa964a3b962ad4632eb28316b0c56a9577feb

    • SHA512

      dcaf3f385caf0e81761e909ecbc6bc6f569d7c3708bfd5b764035aa89be05eb3995f9ea2fe7dca3162ecb755390b54ce852a0d8cc9c75af47144d45a53e46fe9

    • SSDEEP

      24576:yMdFXdYeUwNNeywJmpfcdr+2LaZBxWG8nb+CyJUCr:yM7KeUwxp

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks