asyncrat

General

Target

b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe
Size

8.4MB
Sample

240617-bplgja1hnp
MD5

3c6fd2d056ed6d09b0ac9d34de202353
SHA1

a79a8b9c0092266e0388a6dc9941667ef208b233
SHA256

b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c
SHA512

dd2b0c97ed39add7ffda1b6fbc552daad7385eef3ff5f82068c419a674fa92c07e853f523ced0da2705b6dc922b086f89b10682e335ecc1e7966a8247e2d7614
SSDEEP

196608:jth2KKRkb+gKVAECO4GZM7b2qiTzRUxgVkdMOwEvz2VcPxgC:z2rk+ggAEp/CbQKxgcM5ymcpgC

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

05KAN24

C2

4Mekey.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

05KAN24

C2

4mekey.myftp.biz:1124

Mutex

8574ec729578662a3d2b4a9c0c2f21d3

Attributes

reg_key
8574ec729578662a3d2b4a9c0c2f21d3
splitter
|'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

05KAN24

C2

4Mekey.myftp.biz:4782

Mutex

79b4968e-3635-4865-94f2-359cde910023

Attributes

encryption_key
5A1721840C7FCFA52998D9F98F97F4B8137E6734
install_name
Windows Server.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Windows Update

Targets

- Target
  
  b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe
- Size
  
  8.4MB
- MD5
  
  3c6fd2d056ed6d09b0ac9d34de202353
- SHA1
  
  a79a8b9c0092266e0388a6dc9941667ef208b233
- SHA256
  
  b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c
- SHA512
  
  dd2b0c97ed39add7ffda1b6fbc552daad7385eef3ff5f82068c419a674fa92c07e853f523ced0da2705b6dc922b086f89b10682e335ecc1e7966a8247e2d7614
- SSDEEP
  
  196608:jth2KKRkb+gKVAECO4GZM7b2qiTzRUxgVkdMOwEvz2VcPxgC:z2rk+ggAEp/CbQKxgcM5ymcpgC
Score

10^/10

asyncrat njrat quasar 05kan24 discovery evasion persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables attemping to enumerate video devices using WMI
- Detects executables containing common artifacts observed in infostealers
- Detects executables containing the string DcRatBy
- Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2