asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

241212-wymq6ssnat_pw_infected.zip
Size

8KB
Sample

250101-xkqrca1lal
MD5

46e1dda34049ae02d12417a9ca4254a8
SHA1

a9f38b7196980f20c3fee1172538db73f2065284
SHA256

ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2
SHA512

92f17e843d624c20ad16360ed855ff1c02895379a83bd2054374f0a6f9ee3697cdee1b4d38b3833bd2c784f45504541729c29c66275eaa7f137d6d47ab340afb
SSDEEP

192:bxH3A0QJWWqMk3Vp/c8hUwuz4TV3JYih6wEpby+Od7/60i2j:bxHNpfVl2bzFWDE9o/60p

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://ftp.hogarsancamilo.org/
Port:
21
Username:
[email protected]
Password:
eg0wtRsF5HKA

Extracted

Family

xworm

Version

5.0

panpoppo-25611.portmap.io:25611

Mutex

bkYwUfZceyxwRCdw

Attributes

Install_directory
%AppData%
install_file
System.exe
telegram
https://api.telegram.org/bot7029474494:AAH1z4aA2-VnubfHzTm9hl-5PQmAMfTuggo/sendMessage?chat_id=5258405739

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.254.40:4782

Mutex

56928f7b-c5c9-4b24-af59-8c509ce1d27e

Attributes

encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows System
subdirectory
SubDir

Extracted

Family

gurcu

https://api.telegram.org/bot7029474494:AAH1z4aA2-VnubfHzTm9hl-5PQmAMfTuggo/sendMessage?chat_id=5258405739

Targets

- Target
  
  241212-wymq6ssnat_pw_infected.zip
- Size
  
  8KB
- MD5
  
  46e1dda34049ae02d12417a9ca4254a8
- SHA1
  
  a9f38b7196980f20c3fee1172538db73f2065284
- SHA256
  
  ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2
- SHA512
  
  92f17e843d624c20ad16360ed855ff1c02895379a83bd2054374f0a6f9ee3697cdee1b4d38b3833bd2c784f45504541729c29c66275eaa7f137d6d47ab340afb
- SSDEEP
  
  192:bxH3A0QJWWqMk3Vp/c8hUwuz4TV3JYih6wEpby+Od7/60i2j:bxHNpfVl2bzFWDE9o/60p
Score

10^/10

asyncrat gurcu meduza mimikatz quasar runningrat snakekeylogger vidar xmrig xworm helper atanka office04 collection credential_access defense_evasion discovery evasion execution keylogger miner persistence phishing privilege_escalation pyinstaller rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- RunningRat payload
- Runningrat family
  runningrat
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Windows security bypass
  evasion trojan
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- OS Credential Dumping: Security Account Manager
  Malicious Registry Hive Dumping.
  credential_access
- mimikatz is an open source tool to dump credentials on Windows
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Stops running service(s)
  evasion execution
- A potential corporate email address has been identified in the URL: cookie-consent@1
  phishing
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads ssh keys stored on the system
  Tries to access SSH used by SSH programs.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Creates a Windows Service
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1