Extracted

Extracted

Extracted

Extracted

• • Target

    ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089

  • Size

    1.1MB

  • MD5

    0333b88f46c3307fc9f81e49879a713a

  • SHA1

    71d9774c6655d70b6bfdde93537ab8a71871f720

  • SHA256

    ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089

  • SHA512

    e58bff9a4bf38298c16c1eeb03dd30308ac83c78bacb6109a8a3323a22266e6b1bd4567baffb361def5942a966314ce1c632f1169a33be321d5dcddc7fd24540

  • SSDEEP

    24576:FsZLTFNaRFTbOuOVopBeTy5/9sYfel4nVTGqBJyIkZL:FQLTmTbOJGTmPl4ViNIOL

  Score

  10^/10

  asyncratquasarstormkittyvenomratxwormdefaultoffice05discoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat

  • Venomrat family

    venomrat

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Async RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2