asyncrat | 1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zvgfd-main/Empyrean Removal Tool.exe
Size

495KB
MD5

0858df720da731fb05cfa980134fa639
SHA1

0e5e7bf34494892b20e2ed62cea218ada919361d
SHA256

4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810
SHA512

c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9
SSDEEP

12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

Score

10^/10

asyncrat quasar xworm default slave execution rat spyware trojan

Malware Config

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000

aes.plain

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral12/files/0x0003000000022963-6.dat	family_xworm
behavioral12/memory/5056-16-0x00000000000F0000-0x0000000000108000-memory.dmp	family_xworm
behavioral12/files/0x000b00000002336a-37.dat	family_xworm
behavioral12/memory/708-50-0x00000000008E0000-0x00000000008FA000-memory.dmp	family_xworm
behavioral12/memory/5056-108-0x000000001BB60000-0x000000001BB6E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/files/0x0003000000022965-18.dat	family_quasar
behavioral12/memory/1632-51-0x0000000000A50000-0x0000000000ABC000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral12/files/0x000b000000023368-27.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3684	powershell.exe
2260	powershell.exe
1924	powershell.exe
4948	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Empyrean Removal Tool.exePart 1.exePart 4.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Empyrean Removal Tool.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Part 1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Part 4.exe

Executes dropped EXE 4 IoCs

Processes:

Part 1.exePart 2.exePart 3.exePart 4.exe

pid	Process
5056	Part 1.exe
1632	Part 2.exe
1644	Part 3.exe
708	Part 4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exePart 1.exepowershell.exepowershell.exePart 4.exe

pid	Process
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
5056	Part 1.exe
5056	Part 1.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
708	Part 4.exe
708	Part 4.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Part 3.exePart 1.exePart 2.exepowershell.exepowershell.exePart 4.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1644	Part 3.exe
Token: SeDebugPrivilege	5056	Part 1.exe
Token: SeDebugPrivilege	1632	Part 2.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	708	Part 4.exe
Token: SeDebugPrivilege	5056	Part 1.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	708	Part 4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Part 2.exePart 1.exePart 4.exe

pid	Process
1632	Part 2.exe
5056	Part 1.exe
708	Part 4.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Empyrean Removal Tool.exePart 1.exePart 2.exePart 4.exe

description	pid	Process	procid_target
PID 2260 wrote to memory of 5056	2260	Empyrean Removal Tool.exe	88
PID 2260 wrote to memory of 5056	2260	Empyrean Removal Tool.exe	88
PID 2260 wrote to memory of 1632	2260	Empyrean Removal Tool.exe	89
PID 2260 wrote to memory of 1632	2260	Empyrean Removal Tool.exe	89
PID 2260 wrote to memory of 1632	2260	Empyrean Removal Tool.exe	89
PID 2260 wrote to memory of 1644	2260	Empyrean Removal Tool.exe	90
PID 2260 wrote to memory of 1644	2260	Empyrean Removal Tool.exe	90
PID 2260 wrote to memory of 708	2260	Empyrean Removal Tool.exe	91
PID 2260 wrote to memory of 708	2260	Empyrean Removal Tool.exe	91
PID 5056 wrote to memory of 1924	5056	Part 1.exe	94
PID 5056 wrote to memory of 1924	5056	Part 1.exe	94
PID 1632 wrote to memory of 2608	1632	Part 2.exe	95
PID 1632 wrote to memory of 2608	1632	Part 2.exe	95
PID 1632 wrote to memory of 2608	1632	Part 2.exe	95
PID 5056 wrote to memory of 4948	5056	Part 1.exe	98
PID 5056 wrote to memory of 4948	5056	Part 1.exe	98
PID 708 wrote to memory of 3684	708	Part 4.exe	100
PID 708 wrote to memory of 3684	708	Part 4.exe	100
PID 708 wrote to memory of 2260	708	Part 4.exe	102
PID 708 wrote to memory of 2260	708	Part 4.exe	102

C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe
"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2608
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
  "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlvxncwn.cxo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe

Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe

Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe

Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe

Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
memory/708-110-0x000000001BB60000-0x000000001BC62000-memory.dmp

Filesize
1.0MB

Download
memory/708-50-0x00000000008E0000-0x00000000008FA000-memory.dmp

Filesize
104KB

Download
memory/1632-55-0x0000000006190000-0x00000000061A2000-memory.dmp

Filesize
72KB

Download
memory/1632-53-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/1632-54-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/1632-52-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/1632-57-0x00000000066D0000-0x000000000670C000-memory.dmp

Filesize
240KB

Download
memory/1632-51-0x0000000000A50000-0x0000000000ABC000-memory.dmp

Filesize
432KB

Download
memory/1632-72-0x0000000006C50000-0x0000000006C5A000-memory.dmp

Filesize
40KB

Download
memory/1644-47-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/1924-58-0x000001F4C3E10000-0x000001F4C3E32000-memory.dmp

Filesize
136KB

Download
memory/2260-0-0x00007FF9C5FB3000-0x00007FF9C5FB5000-memory.dmp

Filesize
8KB

Download
memory/2260-1-0x0000000000920000-0x00000000009C4000-memory.dmp

Filesize
656KB

Download
memory/5056-56-0x00007FF9C5FB0000-0x00007FF9C6A71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-16-0x00000000000F0000-0x0000000000108000-memory.dmp

Filesize
96KB

Download
memory/5056-108-0x000000001BB60000-0x000000001BB6E000-memory.dmp

Filesize
56KB

Download
memory/5056-109-0x000000001B2C0000-0x000000001B3C2000-memory.dmp

Filesize
1.0MB

Download
memory/5056-49-0x00007FF9C5FB0000-0x00007FF9C6A71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-113-0x00007FF9C5FB0000-0x00007FF9C6A71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-114-0x00007FF9C5FB0000-0x00007FF9C6A71000-memory.dmp

Filesize
10.8MB

Download