asyncrat | b460cb71a7c6a0ef8f1f92dc52c237a41a783fa5d2925362eb0ab3db51420e71

Sharing

General

Target

VenomRAT-V5.6-HVNC.rar
Size

44.7MB
Sample

240811-pa5hrashra
MD5

3359e400772b429af1a1c5b2f06ad301
SHA1

bdedb4c410ba58392feefcda17ec18c9ec5e45db
SHA256

b460cb71a7c6a0ef8f1f92dc52c237a41a783fa5d2925362eb0ab3db51420e71
SHA512

63f5c3a773dc4d3ff44aef6b318e1e23c3befecf3a1263f4f45c132c487dae8fe9f0a2512a3699ae70c8b602ca83e672be8b18b0f9be60693c600a70b08f2f4a
SSDEEP

786432:G42E0fcdbuf9QZZEdyvV554KDYKiQ7mKv9Ewf91HZOrck8+xUhJZkwhNc:GbE0fk6FkZEdKV5i2BiQKaEwHHZIAJZK

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.4.1 | Venom

dofucks.com:12482

private115.duckdns.org:12482

Mutex

adf10731-c83d-4166-9137-39d0b1e48856

Attributes

encryption_key
C84CB6134701741C5122A14FACDB67C8CFA9C0AB
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

Targets

- Target
  
  VenomRAT-V5.6-HVNC.rar
- Size
  
  44.7MB
- MD5
  
  3359e400772b429af1a1c5b2f06ad301
- SHA1
  
  bdedb4c410ba58392feefcda17ec18c9ec5e45db
- SHA256
  
  b460cb71a7c6a0ef8f1f92dc52c237a41a783fa5d2925362eb0ab3db51420e71
- SHA512
  
  63f5c3a773dc4d3ff44aef6b318e1e23c3befecf3a1263f4f45c132c487dae8fe9f0a2512a3699ae70c8b602ca83e672be8b18b0f9be60693c600a70b08f2f4a
- SSDEEP
  
  786432:G42E0fcdbuf9QZZEdyvV554KDYKiQ7mKv9Ewf91HZOrck8+xUhJZkwhNc:GbE0fk6FkZEdKV5i2BiQKaEwHHZIAJZK
Score

3^/10
behavioral1 behavioral2
- Target
  
  VenomRAT-V5.6-HVNC/BouncyCastle.Crypto.dll
- Size
  
  2.1MB
- MD5
  
  3cf6bf0e0a27f3665edd6362d137e4cc
- SHA1
  
  2016dd5e17331495901299eae9a5db48ccc8956f
- SHA256
  
  1985b85bb44be6c6eaf35e02ef11e23a890e809b8ec2e53210a4ad5a85b26c70
- SHA512
  
  72182dd7ce5fdaec8a79b65626e98f38eb8e74fa6129de08d54b3bb80867019b594082e2d9e583a788d81e69c12f7c6cd993d7d74a196bab72e68400c61e244f
- SSDEEP
  
  49152:FFSSSusJVEDm2CNrmynmTF3P++3UEOkK59Vz4oukkb3KZ5:FFSSSusJeDm2WrmynmTF3m+E
Score

1^/10
behavioral3 behavioral4
- Target
  
  VenomRAT-V5.6-HVNC/Guna.UI2.dll
- Size
  
  2.0MB
- MD5
  
  0188fce753516183a41c4d146e337778
- SHA1
  
  eb0f5324e8dd08a181d4bdfc1d90543077b2ee67
- SHA256
  
  ee4449bccf826cbc56c13087d54a1a69fd42464d437ce8f355ac6afb61df6829
- SHA512
  
  b3aafc9a80eec37556f4e60ab23579dd7d42c060b3ca2064d6d0c16901b54500503750868bef651a01401551551e372ac9fd459029c5d0efdd2aa385384916fc
- SSDEEP
  
  24576:SANEfBpDsH/bTIRPZyiXeq+Tc7XRbF+TSgkrwf9Pa3oZm8jqG4LEx1npSBeX673f:Sz9+OgRpUwXpUeXQq5dn
Score

1^/10
behavioral5 behavioral6
- Target
  
  VenomRAT-V5.6-HVNC/IP2Region.dll
- Size
  
  13KB
- MD5
  
  cd5a0b0d309fd5837ddacbf4c1a65cda
- SHA1
  
  65fbc931f4ba8c5e3b26719665ee9ea6015f402c
- SHA256
  
  b0c2a6951dae794c210fbe68d7f42081e5da0f7cbb926cf986c3d453f9920f37
- SHA512
  
  84e4e1aa3f6c3014b39b0ac0da3db41e086dfab4e7d38a154f0ff2d0c65bae87039175e54cf950a57f21f5c56c19a62d6f98b2143f14a21d743867a2b37243aa
- SSDEEP
  
  192:6ITtdNU7r6Au3QI7iPxM02ec5puRpZd7awXJPhbUIx9fwiwMH17Gv2u0lXkV/+ft:6BrZe7sM0Q5puRJTn5wiwMV7t/ftVl
Score

1^/10
behavioral7 behavioral8
- Target
  
  VenomRAT-V5.6-HVNC/IconExtractor.dll
- Size
  
  11KB
- MD5
  
  3a8aad1f889b6fb25943eb0ca3be6eff
- SHA1
  
  d364be51c972060c05cdb5a8603915c6cacebd90
- SHA256
  
  04a1a27ab31b284c6e1ce9b3e94d59e414803ef1283021c5ef5919e826a6d488
- SHA512
  
  8df7a5196468f9ca1641703b434c30b5a5a1a2e42e5f738111b997a08d649fe3ef30baa8e3a97c02689b7603653aefb2ae1e830799dc6db1c2ba468a6e979f42
- SSDEEP
  
  192:Bmpc8LVCEdSApAMtrBaRGVb3dhw8vJr6/gdwm:BqxCEdSAHrBiGVb3LzJr6/21
Score

10^/10

gurcu quasar xworm v15.4.1 | venom defense_evasion discovery dropper execution persistence rat spyware stealer trojan
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Download via BitsAdmin
  dropper
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  VenomRAT-V5.6-HVNC/Keylogger.exe
- Size
  
  10KB
- MD5
  
  b8607b7921cd9cba78058fcb56bcfb9d
- SHA1
  
  1344f12ff7e23122b62fcc7f3be548c73d3c3efd
- SHA256
  
  b2a992052d32a5b9d3702350b133289b45a8d209acd0161d9c3b0bc6fd702b3c
- SHA512
  
  dd36040e57f2744437684e257caac0987a90deac0a60536f1cb8d690e256505d427931a3beb8d58f87c2c1bf5beb0a40c4b09417c451a07e5856044efbac1449
- SSDEEP
  
  96:c+B5YocCSrXU1k1YhsadP1LH9xvXh3D6IQE6yonbMpGtzIon7CKe8m7zeQzNt:ZB5YgOd1Yh9dtnXh3D6/QAzn7f5m7Cy
Score

1^/10
behavioral11 behavioral12
- Target
  
  VenomRAT-V5.6-HVNC/Newtonsoft.Json.dll
- Size
  
  659KB
- MD5
  
  cc7920d1ea2268f85cf44e74a557e752
- SHA1
  
  dd420f319c505a9b8085819656c74bbc4748b78b
- SHA256
  
  67011156a08da592d5fe6ef112cb62e10c88be534990fdcdfef5ebb9b1cc6c63
- SHA512
  
  76874b04def4e3dd79b99aa5604a7dd4d4063494af8cf02f96abd56f34a898bbf7c41ad5aafb2ac123474d6c85886a6d99a04882f279c009b635619c1d6c308e
- SSDEEP
  
  12288:suLQZbq16LMLq42433d25X8STJmMRv0niBXh8KOBAj0x:sz/LMLq42t5X8STJmMRv0nQHOBAjO
Score

1^/10
behavioral13 behavioral14
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Audio.dll
- Size
  
  25KB
- MD5
  
  c8bba484847d43a37a2826969b8d51be
- SHA1
  
  c7bd52ff2ddc40e3f0aef35e6c5e226b1e5bc10b
- SHA256
  
  7e969e5a8f7ae862e7caa4838b9720e4272b74a980792e016f068b23f283a4a1
- SHA512
  
  9c8a4ed2f6769cd659ceb7557fee9cb3fbe6e8bad9c3fff62a6dfc090d52ebb878c52e11dce3f769cc9f9e62321f551130f923e8e518928159d27e30dac57dd1
- SSDEEP
  
  384:Pi+z4JdSCmRO5Gw5ZGuC0CWdseXGKfZ0CDzukNpLQVs6XXLca78nOt3E:qzJds45GwRC63lF2tAOt0
Score

1^/10
behavioral15 behavioral16
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Chat.dll
- Size
  
  456KB
- MD5
  
  f46b7596a724e9fe720a6e90cbaa8c48
- SHA1
  
  8380bd727b03a50cf4b629c06201eea248dc2037
- SHA256
  
  d76bdbeef6b2b0b7b05855bb31e3d3a9450326108b89c2f8292b30e3defba206
- SHA512
  
  536031bf2f95c95cb93d913280cdef845b79cde9f5fdd7f9e50fe5b31dbd8350da99f11bd277733e13c6ad8793575186e07b278560da15fd041270a639062e4c
- SSDEEP
  
  6144:LtBlKJ+p4JX0cZsaB6N83r2y/plBWnxfID/uKNlNQ7fOiLXyCrxO9w+KQqxe/t7:LVKTkcZBB6NKbBWnxfIvNr4siQqx0
Score

1^/10
behavioral17 behavioral18
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Discord.dll
- Size
  
  27KB
- MD5
  
  b591cff18fd7344243cf8a4eca624a65
- SHA1
  
  29f9134bb33d429d27b87e6f2112b6753e1dcae4
- SHA256
  
  6a43095314d5e32db307eef638d2f5afea7dd40ff6acda24fc28ce0c1632cb6a
- SHA512
  
  ae1aa8db37182a4b8ee06249da6304c1c105adf06b2091cf24b3e79ad1d6d1a6eaab12bf059cd86deb04b7084d563a25d5bbef6ddf7857c1a34fc0e0032664fc
- SSDEEP
  
  384:HfzPwa/ppmIwuCfMeSmfbQFFVBdseXG3cGh+JaL6lkSggL5XxXIUdwmuJpSVmlY2:HhGIwhPgh0Jd+5XxjwmuJpSV/I7
Score

1^/10
behavioral19 behavioral20
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Extra.dll
- Size
  
  34KB
- MD5
  
  a7f6e9ea6f35ae2d46b2428e0ba548f8
- SHA1
  
  d7144c74103c70ecb92fb7866440381d36c9a382
- SHA256
  
  b852634a7305818616dd7194b8ffe66e63bccc861380ee97c99b070de6ba89d8
- SHA512
  
  ec2d6bb1a0ecbe2c1cb4f489231ca374ad4e19cd21b6423f3b5fd5ac1b968c0291ef6a0b66c4abca7ff78d048f43b9c7307eea48dc8725e889a2a19c190d25b4
- SSDEEP
  
  384:thfLE8JhqmxGhnGOheE6qCtdKudseXG5JN2ahDkz7R3bu6jUwv5YacMvvc8D5K8w:jQ8hxGWCkQuMPkv5YdAvr9IKqbnMW
Score

1^/10
behavioral21 behavioral22
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/FileManager.dll
- Size
  
  34KB
- MD5
  
  ff2783114ae2044817419e3029202f4e
- SHA1
  
  3b0f3cc4724264622b0f43534745234162a54118
- SHA256
  
  169b668e1f44382d07f158583cfde522efcaac03d124c605663a9e29d65cd1cb
- SHA512
  
  b495efc2e0b5bf5ee410e6b475178dda4b06ea9ba6cf40d22cce6b3f114b5e5fd9c48bb7319b5d79f3f2c10b3c6afd0a0c7fe70582aeabb4eaf9ec7bb752dc64
- SSDEEP
  
  384:e/fLIMFZcuWQHBVugXvYhXmovTuC/Jn/KddseXG/htVhD8mouoFFAEFuc0oRJPtt:ypBQ2ovTZ/kdczcFhntTtny1l1E
Score

1^/10
behavioral23 behavioral24
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/FileSearcher.dll
- Size
  
  280KB
- MD5
  
  b5afafb4d97483eebc4be571f85f173f
- SHA1
  
  0ba9e21cc125b23d128da3e2066d7ae84932ef15
- SHA256
  
  48218ec92d226ddfc67038fb11bc7ace4212f1d640a91327c088ab81d331fd3a
- SHA512
  
  036fb7d0a7f52b1d729adf36ba953bcfd78c13df97e6e6a907fa669b44621635c53265065b164a82e025b21704b3c555b7c2f862ee97a9979d22b720d36609de
- SSDEEP
  
  3072:UUI94v0G+OSJqB7OOaJOqX8s28ccc9k16uLWcSCSLeNYcEeI/KQ73WmboC4nRZkX:SKWOaG4X5S9k1zFB6YF6X
Score

1^/10
behavioral25 behavioral26
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Fun.dll
- Size
  
  36KB
- MD5
  
  60ec3a7d2b3ad2e295c37d00f7cfbcc9
- SHA1
  
  3d0a9141b8fe0c35fa6895ac770dc770323ec9e8
- SHA256
  
  30fb82935718d1bdf5fbd0dd859d17a9797d6a355a944b506349d46b36fcda25
- SHA512
  
  3450b281454027e6d82cf332290db31c86ed03da7c75143781edebb828d3e3ee112a7794544f4d27bc2964d9d72c9ab2acb706979bbcfb696751312333d1c41a
- SSDEEP
  
  384:37fLviWK1Xr4GtVmEc6BktslnlrqKQdseXGtrR52bhimwy0Xprnhc4rSf7rpVqK5:LGXFEGtMqS2lnhQk95Z3nhXraDUCEk
Score

1^/10
behavioral27 behavioral28
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Information.dll
- Size
  
  27KB
- MD5
  
  e0522777294f677119798f23120ee71c
- SHA1
  
  0492cff92878608a364270e0638d91b69ef1cbfa
- SHA256
  
  52325afda2b4fb901eee03eb264f3651a15a5b6f4893b6cd64b1c103c75901ab
- SHA512
  
  b3dfa3c2f1354c128c23b634b9935f39609834c93085a9ab0b19e9d2281b9f1dcbbeb1382f924765ae4e334037e1497390d9402113546fbadd719cabd89e6c73
- SSDEEP
  
  384:FRfL6mS8ayvHxy63m+tDZdseXGEXNhDYLuA7InXxtXciDxVM6d0PALKz9G+mZsu:LBS8x72+1ZTaIn3siNvePALKs+mt
Score

1^/10
behavioral29 behavioral30
- Target
  
  VenomRAT-V5.6-HVNC/Plugins/Keylogger.exe
- Size
  
  10KB
- MD5
  
  7ed065eaead4459e1b802715367b57d9
- SHA1
  
  70bb5500f80c3c71fbaf7adaea527c16bfca316e
- SHA256
  
  2e6e13e2498910dd511c5eb7a53e29920f8d4bf506df97bd209a27d776ae9068
- SHA512
  
  750ffd5a77f74b2d3bbbbbd83ec91b67193d8ee82780c2bb8e389ea844f16c82c693a8696687bb0e2ab87a77cd3794155857a0124f15124957b8acbc47bcadaf
- SSDEEP
  
  192:Ctmcuq65SoDxi4maEYbRzmEsLkjgv5JHTCeJYHcwY7fazDZEi:CtlF60GE9rUhVsLF5pCrYyvZE
Score

1^/10
behavioral31 behavioral32