asyncrat

Resubmissions

17-12-2024 13:35

241217-qv6rzs1nhp 10

15-11-2024 19:06

14-11-2024 23:35

14-11-2024 23:26

14-11-2024 23:12

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.exe
Size

10KB
Sample

241114-3eysnavfje
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

redline

Botnet

Logs

185.215.113.9:9137

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vidar

Version

11.5

Botnet

321a707fa673780c2e4ab40d133f2899

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.43.241:4782

91.92.254.40:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes

encryption_key
6095BF6D5D58D02597F98370DFD1CCEB782F1EDD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
SubDir

Extracted

Family

xworm

pressure-creates.gl.at.ply.gg:56274

assistance-arbitration.gl.at.ply.gg:12152

rondtimes.top:1940

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

redline

185.215.113.9:12617

Extracted

Family

redline

Botnet

30072024

185.215.113.67:40960

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

vidar

Version

10.6

Botnet

af458cf23e4b27326a35871876cc63d9

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat metasploit neshta phorphiex quasar redline vidar xmrig xworm 30072024 321a707fa673780c2e4ab40d133f2899 af458cf23e4b27326a35871876cc63d9 buy tg @fatherofcarders default logs newbundle2 office04 svhost tg cloud @rlreborn admin @fatherofcarders backdoor credential_access defense_evasion discovery evasion execution impact infostealer loader miner persistence pyinstaller ransomware rat spyware stealer trojan upx worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Neshta payload
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies security service
  evasion
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Windows security bypass
  evasion trojan
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
  ransomware evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1