asyncrat

General

Target

Flash-USDT-Sender v2 (2).zip
Size

808KB
Sample

240603-t3ha5sdf86
MD5

4bb7ac8ea49b5948185e362f618b8407
SHA1

e5d5decff83197c68de9690e73c67d50eced279f
SHA256

8018d4a6776fd432ea3d84c4c5cd576894362ef2212f66ec5c4ce6964a78016c
SHA512

5f65bbb607782b9f68e16d95c10631b4ebad87288a325bb27ffe8226204ba2c6e94b67b392a8ecc1a922084e6125904b127aed65d723a2d225d313972dd3ea15
SSDEEP

24576:NyyLFbP2sJSzQOUMfLVDw6DsJar6QPTc10:dLFSsJSzzzVNDh+gwq

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

146.70.34.130:7812

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
xwXT4WCNnk3vInV5C8eN
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Health Service
subdirectory
Windows Security Health Service

Extracted

Family

xworm

C2

146.70.34.130:7812

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Flash-USDT-main/Flash USDT v2.exe
- Size
  
  918KB
- MD5
  
  e45aa1c8df8c2e551cbb12eb60d45862
- SHA1
  
  cb00e3e6bd28bbef0899c7e470e82f4e5f5dc13b
- SHA256
  
  5c9d92a9fc8a5399e2dc146af2c5dfbfdbbf94cd11ea331e9422626026470279
- SHA512
  
  ea77a19bc7d76c821082d9f2a14b6e818f28b98aaea9f923767d86d96e8db1a64ddcc56d7cfbcce41c06bd195b8afef4ed4f4dfc1e3543df0e5de4b6aa3af069
- SSDEEP
  
  24576:1Gz1TSpONGTQ9dokTpIG/2KPJ8r6oPNYY:1o1SpONZ9dokTpIG/Y+YN
Score

10^/10

asyncrat quasar stormkitty venomrat xworm default office04 evasion persistence rat rootkit spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1