General

  • Target

    e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe

  • Size

    1.2MB

  • Sample

    241217-kphkbawpbm

  • MD5

    0528074646c46eb6ffb9e48903a32f28

  • SHA1

    9061cccc3f59146237e6deb056fc05ea4a1b5c6b

  • SHA256

    e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f

  • SHA512

    47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677

  • SSDEEP

    24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

104.244.72.108:9999

Mutex

ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CPU

C2

ejss.duckdns.org:2020

Mutex

QSR_MUTEX_sgY7Anj7tlDvpiNxYU

Attributes
  • encryption_key

    H7ySIe3YXqpHozYioZRn

  • install_name

    BlustacksHelp.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    BlustacksHelp

  • subdirectory

    BlustacksHelp

Targets

    • Target

      e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe

    • Size

      1.2MB

    • MD5

      0528074646c46eb6ffb9e48903a32f28

    • SHA1

      9061cccc3f59146237e6deb056fc05ea4a1b5c6b

    • SHA256

      e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f

    • SHA512

      47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677

    • SSDEEP

      24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • VenomRAT

      Detects VenomRAT.

    • Venomrat family

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks