asyncrat

General

Target

713e742f7314ca8d684137f996540b4b.exe
Size

6.7MB
Sample

240811-hr3l6azcjn
MD5

713e742f7314ca8d684137f996540b4b
SHA1

1d88ed5170efab2d32d83341be56e1b9f6720d7c
SHA256

41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
SHA512

df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4
SSDEEP

98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

thing-wine.gl.at.ply.gg:55280

Mutex

EFhpy3TPM7sR

Attributes

delay
3
install
true
install_file
Ass.exe
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

businesses-eric.gl.at.ply.gg:55282

Mutex

ebfbd873-38ee-4f7b-bfe9-2b77cdff1c45

Attributes

encryption_key
361A99FCBAEDCD5C706B5E52C37C90BFB4E13FB2
install_name
Client.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

C2

projects-pf.gl.at.ply.gg:55284

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  713e742f7314ca8d684137f996540b4b.exe
- Size
  
  6.7MB
- MD5
  
  713e742f7314ca8d684137f996540b4b
- SHA1
  
  1d88ed5170efab2d32d83341be56e1b9f6720d7c
- SHA256
  
  41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
- SHA512
  
  df373f00d609666811494d31c48f030e15155ddd4c3ccd4f0ef734a0eb4bee074244e8bb73263f06edca3cef60db37f7f603e98b7c040b6741dbcf8270fa90e4
- SSDEEP
  
  98304:tbqknnTC8vHM8aKN+3v4FOjfU2TNe7vWL26AaNeWgPhlmVqkQ7XSKUR83B:tzO8vH04FmMnG4S03B
Score

10^/10

asyncrat dcrat quasar xworm default office04 discovery evasion execution infostealer persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2