asyncrat

Target

Downloaders.zip
Size

12KB
Sample

240522-k7dzvaad9z
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

79.132.193.215:4782

Mutex

b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Spread

94.156.10.12:80

94.156.10.12:443

94.156.8.44:80

94.156.8.44:443

Mutex

B7T0vEfLYvgG

Attributes

delay
300
install
false
install_folder
%AppData%

aes.plain

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

xworm

Version

5.0

85.203.4.146:7000

5.182.87.154:7000

Mutex

eItTbYBfBYihwkyW

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

85.209.133.18:4545

5.182.87.154:4449

Mutex

tdipywykihsjieff

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
taskhostw.exe
pastebin_url
https://pastebin.com/raw/Xuc6dzua

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

evasion execution persistence vmprotect asyncrat glupteba quasar redline office04 spread discovery dropper infostealer loader rat rootkit spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender notification settings
  evasion trojan
- Modifies security service
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat purelogstealer quasar xworm default office04 discovery evasion execution exploit persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Modifies security service
  evasion
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  New Text Document mod.exse
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat purelogstealer quasar xworm default office04 discovery evasion execution exploit persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Modifies security service
  evasion
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6