Extracted

Extracted

Extracted

Extracted

• • Target

    8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed.exe

  • Size

    1.1MB

  • MD5

    f1424e5b9810a4a9c33506aa784fca89

  • SHA1

    4ad6287fe149832551afbcb1113db50cd133777b

  • SHA256

    8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed

  • SHA512

    e03432137a7c12c03d34302fe4e1774a3a08935d39f665e4086fd8637f4ea961a645e2a8bb3cd85dd24c54861e4f01b0500a70641e2fa3a4a09e2e89a3b77380

  • SSDEEP

    12288:JYYjzzONcuuIYsYNeaCbU6sKySaVQ4pBgncu7EKHCBbsCU/hpgmxCBbsCUXEGnF9:eg9uurUngnBU97EniCUppoiCUXfF9

  Score

  10^/10

  asyncratquasarstormkittyvenomratxwormdefaultoffice04credential_accessdiscoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2