asyncrat

Target

Downloaders.zip
Size

12KB
Sample

241126-2gvncasrhw
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

database

86.234.237.85:4782

Mutex

6f01bdde-f654-4a13-8435-03f5c516c5db

Attributes

encryption_key
65940F11374651C87E8131C4328E542AEFE6F05D
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
Runtime Broker

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

62.113.117.95:5665

68.178.207.33:7000

Mutex

oQNXB2TbsZoFMnfW

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%LocalAppData%
install_file
Terraria-Multiplayer-Fix-Online.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.243.191:5401

Mutex

fce41024-0e2f-475b-929b-e58a126341bd

Attributes

encryption_key
802CAE367B042C840DD4E29539BB1BFEC16FB48A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
vchost32
subdirectory
SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.113.117.95:4449

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449

Mutex

hwelcvbupaqfzors

Attributes

delay
10
install
false
install_folder
%AppData%

aes.plain

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language

hta

Source

URLs

hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/1.png

Extracted

Credentials

Protocol: ftp
Host:
148.135.138.18
Port:
21
Username:
root
Password:
M0tH3ro0

Extracted

Credentials

Protocol: ftp
Host:
147.79.92.26
Port:
21
Username:
ftp
Password:
qwert

Extracted

Credentials

Protocol: ftp
Host:
149.18.50.33
Port:
21
Username:
ftp
Password:
654321

Extracted

Credentials

Protocol: ftp
Host:
35.214.244.43
Port:
21
Username:
ftp
Password:
iloveyou

Extracted

Family

lumma

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

https://frogmen-smell.sbs

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

xworm

Version

3.1

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat exelastealer jigsaw monster phorphiex quasar xworm zharkbot database default newwwwwwwwwwwwwwwwww office04 botnet collection credential_access defense_evasion discovery evasion execution loader persistence privilege_escalation pyinstaller ransomware rat spyware stealer themida trojan vmprotect worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Detects Monster Stealer.
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Jigsaw family
  jigsaw
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- Monster family
  monster
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- Async RAT payload
  rat
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (1499) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat lokibot lumma purplefox xworm zharkbot default botnet collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat rootkit spyware stealer trojan upx vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- Contacts a large (4144) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2