Overview

overview

10

Static

static

3

92E44EAD94...10.exe

windows7-x64

10

92E44EAD94...10.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_31fdb1bf0a8b7e585501c3d3205095a0200dc8e40b1a6be5c6ff0f0638875e43

  • Size

    21.1MB

  • Sample

    241225-zssxsaxqap

  • MD5

    9160e153c1eb729a9e47f9fe293e4138

  • SHA1

    a59e00864fe0cdc14f927b3004e0e8b06d9655bc

  • SHA256

    31fdb1bf0a8b7e585501c3d3205095a0200dc8e40b1a6be5c6ff0f0638875e43

  • SHA512

    ecd423acdb41e8f9aeff663d5ed1c77e1c475c7a7134ee8303fe64b9a31498ade30ff3a96765c18aa6d53f23ff4d23888d38228f6521113f38819cc23b0f20af

  • SSDEEP

    393216:WRWb6O5mKBrPTbY7yXY7asMMnu7JYfgOdJ91lM/HI9RZ:WUb6uBfbcaCQYIOdJxM/Hg

Score
10/10
asyncratdarkcometquasardefaultnetshareoffice15discoveryevasionratspywaretrojan

Malware Config

Extracted

Family

darkcomet

Botnet

netshare

C2

novachrono.dyndns-ip.com:51399

Mutex

DC_MUTEX-6JFEBFK

Attributes
  • gencode

    jJtniSTX6QWK

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

novachrono.dyndns-ip.com:51397

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    repair-win.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office15

C2

novachrono.dyndns-ip.com:51396

Mutex

f855a54f-46fa-48dc-a390-f591a2e4bd98

Attributes
  • encryption_key

    E5D6E7988D0C5E1B3786B30C1AE84CBBC1CF4B1E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      92E44EAD94437A6F12BCD4BBF2E016BE0099B547CA78146272FBB16363AC3310

    • Size

      21.3MB

    • MD5

      223eb1433f7cd227555d88fc906c439a

    • SHA1

      0fdcb189fc89fffd45d686923e1dcd1c71f91444

    • SHA256

      92e44ead94437a6f12bcd4bbf2e016be0099b547ca78146272fbb16363ac3310

    • SHA512

      44689f5f849f2c7c1fb3af7919f42d5396006cbf5f12a79b186747e1710f6aaea52cd2985d5d7ae7f87ae63e070b7ed0bb9d1febd1954bcc90d4ee409b3492ca

    • SSDEEP

      393216:3ppWYSq1A5Jm69mhzyoEsDU6iauKgdBGaSbLb0Kr+B2p9Zey0WThqji7l2D:ZpWYvkJH97oMTKKG1Lb01gpvdyi7i

    Score
    10/10
    asyncratdarkcometquasardefaultnetshareoffice15discoveryevasionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks