General
-
Target
http://51.79.49.73/crc/
-
Sample
230614-3ezpysea9y
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://51.79.49.73/crc/
Resource
win10v2004-20230220-en
Malware Config
Extracted
asyncrat
1.0.7
Default
192.168.175.1:1800
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0
hplus20230325
103.136.199.131:4782
158.247.227.231:4782
17eb206f-a56e-4361-a18e-7ca16f3b99cc
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
asyncrat
0.5.7B
Default
windows10-11.ddns.net:1111
windows10-11.ddnsfree.com:1111
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Extracted
quasar
1.3.0.0
202
windows10-11.ddnsfree.com:5552
windows10-11.ddns.net:5552
QSR_MUTEX_boxEKxe8a0LoR2kBL1
-
encryption_key
KuJ4t6tq6AQ5l33A3aYj
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.3.0.0
300
windows10-11.ddnsfree.com:5552
windows10-11.ddns.net:5552
QSR_MUTEX_EDK2mTJCIRHYLqOOOz
-
encryption_key
ZTfuIwaAdGJ7DbdAS9Km
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
warzonerat
testing1212.ddns.net:5201
Extracted
remcos
Ares
nov231122.con-ip.com:7476
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windowsecurity.exe
-
copy_folder
Security Windows
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-L3UAVE
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Extracted
quasar
1.4.0
newcrypt
103.136.199.131:4782
158.247.227.231:4782
973aa178-3f17-48ed-b33e-52dd11425768
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
remcos
4.6.0 Light
RemoteHost
127.0.0.1:1800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-C9JE9X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
http://51.79.49.73/crc/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Quasar payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-