asyncrat

Target

Downloaders.zip
Size

12KB
Sample

241126-xgsfrstqav
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%LocalAppData%
install_file
Terraria-Multiplayer-Fix-Online.exe

Extracted

Family

redline

Botnet

185.215.113.25:13686

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

https://push-hook.cyou

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

https://crib-endanger.sbs

Extracted

Family

quasar

Version

1.4.1

Botnet

sigorta

18.198.25.148:1604

Mutex

af7e773d-541a-46fd-87d3-06bb0a26aab9

Attributes

encryption_key
D306945220105109C86E6E257D749CE885E76091
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

85.198.108.36:7667

Mutex

egghlcckqridunl

Attributes

delay
6
install
false
install_folder
%Temp%

aes.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

redline

Botnet

TG@CVV88888

185.218.125.157:21441

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

185.215.113.67:21405

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1293231846204903474/NlFoQQli1eEBiZ1mTgA4lGWcgDGUPQu-TH2KjA0djnkLkN-1Rj1Y4K7wda0xn3Aw-GJk

Extracted

Family

phemedrone

https://api.telegram.org/bot7414426785:AAGjcWvGORe1_ToCk6Lpu9MSjNamkIOlrLs/sendDocument

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

Protocol: ftp
Host:
208.199.140.5
Port:
21
Username:
user
Password:
elephant

Extracted

Credentials

Protocol: ftp
Host:
87.106.59.6
Port:
21
Username:
user
Password:
killer

Extracted

Credentials

Protocol: ftp
Host:
38.180.98.11
Port:
21
Username:
ftp
Password:
Salam

Extracted

Credentials

Protocol: ftp
Host:
159.220.53.17
Port:
21
Username:
administrator
Password:
008400

Extracted

Credentials

Protocol: ftp
Host:
217.128.206.32
Port:
21
Username:
user
Password:
U9000

Extracted

Credentials

Protocol: ftp
Host:
40.118.234.37
Port:
21
Username:
user
Password:
TEST

Extracted

Credentials

Protocol: ftp
Host:
45.6.128.38
Port:
21
Username:
ftp
Password:
BMWM5

Extracted

Credentials

Protocol: ftp
Host:
45.252.250.56
Port:
21
Username:
administrator
Password:
Test123

Extracted

Credentials

Protocol: ftp
Host:
118.218.200.59
Port:
21
Username:
root

Extracted

Credentials

Protocol: ftp
Host:
151.80.27.67
Port:
21
Username:
admin
Password:
ubqe

Extracted

Credentials

Protocol: ftp
Host:
207.5.52.67
Port:
21
Username:
admin
Password:
abcd1234

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

3.1

18.181.154.24:7000

Mutex

w8DsMRIhXrOmk0Gn

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat babbleloader gurcu lumma metasploit njrat phemedrone phorphiex quasar redline remcos skuld xworm zharkbot am cleanerv2 default livetraffic newwwwwwwwwwwwwwwwww sigorta tg@cvv88888 backdoor botnet credential_access defense_evasion discovery evasion execution infostealer loader persistence privilege_escalation pyinstaller ransomware rat spyware stealer themida trojan upx worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- BabbleLoader
  BabbleLoader is a malware loader written in C++.
  loader babbleloader
- Babbleloader family
  babbleloader
- Detect Xworm Payload
- Detects BabbleLoader Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies WinLogon for persistence
  persistence
- Njrat family
  njrat
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Disables RegEdit via registry modification
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Enumerates processes with tasklist
  discovery
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

lokibot lumma redline sectoprat xworm zharkbot botnet collection credential_access defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx vmprotect
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- Contacts a large (6390) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2