asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3
Size

968KB
Sample

240527-d533maeg6s
MD5

c82a3da38e0debb9a378f1dc3777c33e
SHA1

aa6c7428f186d9498ca705b9c0d58736757a632e
SHA256

dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3
SHA512

628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1
SSDEEP

24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

37.0.14.203:7812

Mutex

VNM_MUTEX_2r4e6JnVsMyKl6Aod6

Attributes

encryption_key
7m3r0pz1Q0GDX0J3KjKp
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Updated
subdirectory
Win32

Targets

- Target
  
  dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3
- Size
  
  968KB
- MD5
  
  c82a3da38e0debb9a378f1dc3777c33e
- SHA1
  
  aa6c7428f186d9498ca705b9c0d58736757a632e
- SHA256
  
  dec50393ebe75e7a9b14f7c14bf75a7ffe083bac7361bbbcf0f2be554c966ff3
- SHA512
  
  628cda89421e6327ba5a274d28386faf0b56c35f52dc237bbc310aef2a20ec5d5b7fb1bc4f22d610981ce5c6a9733bfc16568f473eb23b43094637b1db969cc1
- SSDEEP
  
  24576:FmtpMM4Qevjz8fSEhQKQWxUg9RzZtNMiTRqfLj:EpviIOYxUQRzZtNyj
Score

10^/10

asyncrat quasar stormkitty venomrat windows security evasion rat rootkit spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Async RAT payload
  rat
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing artifacts associated with disabling Widnows Defender
- Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
- Detects executables referencing Discord tokens regular expressions
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing credit card regular expressions
- Detects executables referencing many VPN software clients. Observed in infosteslers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables using Telegram Chat Bot
- Detects executables with interest in wireless interface using netsh
- Detects file containing reversed ASEP Autorun registry keys
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Quasar RAT

Quasar payload

StormKitty

StormKitty payload

VenomRAT

Async RAT payload

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables containing URLs to raw contents of a Github gist

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables referencing Discord tokens regular expressions

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing credit card regular expressions

Detects executables referencing many VPN software clients. Observed in infosteslers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables using Telegram Chat Bot

Detects executables with interest in wireless interface using netsh

Detects file containing reversed ASEP Autorun registry keys

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2