asyncrat | 8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561 | Triage

Sharing

General

Target

8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561.exe
Size

11.3MB
Sample

240729-bp2thszeje
MD5

41eac7506fde8b7d8a7a5182a2c2d0ec
SHA1

becfa50992a0a2a797caada700dda2f7738faa5a
SHA256

8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
SHA512

c5e38276ab8834554cce4ddd0c3716de508559a495fe959518595b8fbf16adf289ca500f5f64df9d9c631198989ac737ddd975110d5ff51b07a2b56a60efa8b2
SSDEEP

196608:PCwIAchwuLIRgFDPzMsVerPYVnN/SMFmxA1HeT39IigwR1ncKOVVtk7hotQ1NQPr:+AcaxgpgPYVnNSMF1+TtIiFf0VQ26El

Score

10^/10

asyncrat quasar default office04 discovery evasion execution persistence pyinstaller rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

193.42.11.9:4329

Mutex

4c2abd13-f813-4493-8701-1c7115caee61

Attributes

encryption_key
665C8B508EC328B12F8F1A2A20662BF0DBA9F069
install_name
edge.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Chrome
subdirectory
browser

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:4449

127.0.0.1:80

45.141.151.163:4449

45.141.151.163:80

Mutex

kijgzzvakwgjgyonlhe

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561.exe
- Size
  
  11.3MB
- MD5
  
  41eac7506fde8b7d8a7a5182a2c2d0ec
- SHA1
  
  becfa50992a0a2a797caada700dda2f7738faa5a
- SHA256
  
  8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b84f3c94866951eb9561
- SHA512
  
  c5e38276ab8834554cce4ddd0c3716de508559a495fe959518595b8fbf16adf289ca500f5f64df9d9c631198989ac737ddd975110d5ff51b07a2b56a60efa8b2
- SSDEEP
  
  196608:PCwIAchwuLIRgFDPzMsVerPYVnN/SMFmxA1HeT39IigwR1ncKOVVtk7hotQ1NQPr:+AcaxgpgPYVnNSMF1+TtIiFf0VQ26El
Score

10^/10

asyncrat quasar default office04 discovery evasion execution persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratquasardefaultoffice04discoveryevasionexecutionpersistenceratspywaretrojan