asyncrat

General

Target

734a651df8e337d0ce287b737eda1ba09e11b3ac00b7aa00c0b4ff66b67a8f40
Size

4.1MB
Sample

240806-bgrctavanq
MD5

c1d4a5533effd830b2511e3d36126dbf
SHA1

d67fdc24d7602e6c8b1a5bdbb46fe1bfeee8ec25
SHA256

734a651df8e337d0ce287b737eda1ba09e11b3ac00b7aa00c0b4ff66b67a8f40
SHA512

1495e65c0048d9addeba488cb522854d0c1f60e74911cc7b0a356524b8c423f6225b320392bdfb7e6ad74bc85f89d86c22e30716a0ffe80c7e323aeba1d1bfd5
SSDEEP

98304:pX4FOjfU2T1e3v+L26AaNeWgPhlmVqkQ7XSKVtP5:V4FmMj+4SqP5

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

studies-nearby.gl.at.ply.gg:54354

Mutex

ed6f2980-f798-413a-90ea-280e7a8f7ce7

Attributes

encryption_key
4AE6940760440BA087A77A58D1B15E8AD494E934
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

race-through.gl.at.ply.gg:54395

Mutex

034a0ecc052628afea4e468544bba5d2

Attributes

reg_key
034a0ecc052628afea4e468544bba5d2
splitter
|'|'|

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

iraq-mn.gl.at.ply.gg:54391

Mutex

dyo8kO8l3gKv

Attributes

delay
3
install
true
install_file
E.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  734a651df8e337d0ce287b737eda1ba09e11b3ac00b7aa00c0b4ff66b67a8f40
- Size
  
  4.1MB
- MD5
  
  c1d4a5533effd830b2511e3d36126dbf
- SHA1
  
  d67fdc24d7602e6c8b1a5bdbb46fe1bfeee8ec25
- SHA256
  
  734a651df8e337d0ce287b737eda1ba09e11b3ac00b7aa00c0b4ff66b67a8f40
- SHA512
  
  1495e65c0048d9addeba488cb522854d0c1f60e74911cc7b0a356524b8c423f6225b320392bdfb7e6ad74bc85f89d86c22e30716a0ffe80c7e323aeba1d1bfd5
- SSDEEP
  
  98304:pX4FOjfU2T1e3v+L26AaNeWgPhlmVqkQ7XSKVtP5:V4FmMj+4SqP5
Score

10^/10

asyncrat njrat quasar default hacked office04 discovery evasion persistence privilege_escalation rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2