General
-
Target
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
-
Size
1.2MB
-
Sample
241217-kphkbawpbm
-
MD5
0528074646c46eb6ffb9e48903a32f28
-
SHA1
9061cccc3f59146237e6deb056fc05ea4a1b5c6b
-
SHA256
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f
-
SHA512
47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677
-
SSDEEP
24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF
Static task
static1
Behavioral task
behavioral1
Sample
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
Resource
win7-20241010-en
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
104.244.72.108:9999
ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.3.0.0
CPU
ejss.duckdns.org:2020
QSR_MUTEX_sgY7Anj7tlDvpiNxYU
-
encryption_key
H7ySIe3YXqpHozYioZRn
-
install_name
BlustacksHelp.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
BlustacksHelp
-
subdirectory
BlustacksHelp
Targets
-
-
Target
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
-
Size
1.2MB
-
MD5
0528074646c46eb6ffb9e48903a32f28
-
SHA1
9061cccc3f59146237e6deb056fc05ea4a1b5c6b
-
SHA256
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f
-
SHA512
47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677
-
SSDEEP
24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF
-
Asyncrat family
-
Quasar family
-
Quasar payload
-
Venomrat family
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-