asyncrat

General

Target

https://github.com
Sample

240407-jwelkage2v

Score

10^/10

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNjExNzA4MjI5OTYyOTU4OQ.GrM5Bi.Q6AkAXToCVgUFSQddwESQ9i03Hb8hChYfP_Mvo
server_id
1225929862271860808

Extracted

Path

C:\Users\Admin\Desktop\fortnite-hack-and-esp-free-2024-not-detected-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

LK1tcQzVjdOfCJrx

Attributes

Install_directory
%AppData%
install_file
sv_gost120938.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nvidia.zapto.org:1800

Mutex

81c389fb-31fe-4833-ba91-b648eb594019

Attributes

encryption_key
2FB04E694FBA442FB0237233F61FC3479E3721CB
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
nvidia
subdirectory
SubDir

Targets

- Target
  
  https://github.com
Score

10^/10

asyncrat discordrat quasar wannacry xworm zgrat office04 discovery evasion persistence ransomware rat rootkit spyware stealer trojan worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Detect ZGRat V1
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1