asyncrat | 8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561 | Triage

Sharing

General

Target

8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
Size

11.3MB
Sample

240728-tens1svhje
MD5

41eac7506fde8b7d8a7a5182a2c2d0ec
SHA1

becfa50992a0a2a797caada700dda2f7738faa5a
SHA256

8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
SHA512

c5e38276ab8834554cce4ddd0c3716de508559a495fe959518595b8fbf16adf289ca500f5f64df9d9c631198989ac737ddd975110d5ff51b07a2b56a60efa8b2
SSDEEP

196608:PCwIAchwuLIRgFDPzMsVerPYVnN/SMFmxA1HeT39IigwR1ncKOVVtk7hotQ1NQPr:+AcaxgpgPYVnNSMF1+TtIiFf0VQ26El

Score

10^/10

asyncrat quasar default office04 evasion execution persistence pyinstaller rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

193.42.11.9:4329

Mutex

4c2abd13-f813-4493-8701-1c7115caee61

Attributes

encryption_key
665C8B508EC328B12F8F1A2A20662BF0DBA9F069
install_name
edge.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Chrome
subdirectory
browser

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

127.0.0.1:80

45.141.151.163:4449

45.141.151.163:80

Mutex

kijgzzvakwgjgyonlhe

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
- Size
  
  11.3MB
- MD5
  
  41eac7506fde8b7d8a7a5182a2c2d0ec
- SHA1
  
  becfa50992a0a2a797caada700dda2f7738faa5a
- SHA256
  
  8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
- SHA512
  
  c5e38276ab8834554cce4ddd0c3716de508559a495fe959518595b8fbf16adf289ca500f5f64df9d9c631198989ac737ddd975110d5ff51b07a2b56a60efa8b2
- SSDEEP
  
  196608:PCwIAchwuLIRgFDPzMsVerPYVnN/SMFmxA1HeT39IigwR1ncKOVVtk7hotQ1NQPr:+AcaxgpgPYVnNSMF1+TtIiFf0VQ26El
Score

10^/10

asyncrat quasar default office04 evasion execution persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratquasardefaultoffice04evasionexecutionpersistenceratspywaretrojan

behavioral2

asyncratquasardefaultoffice04evasionexecutionpersistenceratspywaretrojan