Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/w...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com/wqlsz/discord-rat

  • Sample

    240510-2xextsef3y

Score
10/10
asyncratdiscordratquasarpopbobpopbobinsyntax bootstrapperdiscoverypersistencepyinstallerratrootkitspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

popbobin

C2

loan-mode.gl.at.ply.gg:3232

loan-mode.gl.at.ply.gg:56499
Attributes
  • delay

    1

  • install

    true

  • install_file

    ooga booga.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Syntax Bootstrapper

C2

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:6606

127.0.0.1:39473

lolzpopbob-31243.portmap.host:7707

lolzpopbob-31243.portmap.host:8808

lolzpopbob-31243.portmap.host:6606

lolzpopbob-31243.portmap.host:39473

lolzpopbob-31243.portmap.host:31243

lolzpopbob-31243.portmap.host:54984

lolzpopbob-31243.portmap.host:32817
Mutex

gte9kAyhP56e

Attributes
  • delay

    3

  • install

    true

  • install_file

    SyntaxBoostTrappera.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

popbob

C2

26.54.54.253:4782

Mutex

e68ac88d-83ac-4c28-b500-1c248767b934

Attributes
  • encryption_key

    DA4DBB9EE2FF6F37FD6386C21A06F055A9BEF02D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyMjc0MTc1MDE3OTY5NjY2MA.GTaP_b.Fj7PPHRSC9HZBuqab-hq8gnmLm8HwKIuQEUqGo

  • server_id

    1222323968766382140

Targets

    • Target

      https://github.com/wqlsz/discord-rat

    Score
    10/10
    asyncratdiscordratquasarpopbobpopbobinsyntax bootstrapperdiscoverypersistencepyinstallerratrootkitspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks