asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

241212-wymq6ssnat_pw_infected.zip
Size

8KB
Sample

250101-xyydcayrex
MD5

46e1dda34049ae02d12417a9ca4254a8
SHA1

a9f38b7196980f20c3fee1172538db73f2065284
SHA256

ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2
SHA512

92f17e843d624c20ad16360ed855ff1c02895379a83bd2054374f0a6f9ee3697cdee1b4d38b3833bd2c784f45504541729c29c66275eaa7f137d6d47ab340afb
SSDEEP

192:bxH3A0QJWWqMk3Vp/c8hUwuz4TV3JYih6wEpby+Od7/60i2j:bxHNpfVl2bzFWDE9o/60p

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes

encryption_key
aGPuRaDerdUDJPrAfXtB
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Framework
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.228.82.21:4782

14.243.221.170:2654

tieumao1995-51127.portmap.io:51127

Mutex

59c47ccd-e59a-4ccb-933e-f1094e43684c

Attributes

encryption_key
7CDE15C94B12183E5BC0673A57C6342C87E44E2A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
msgde
subdirectory
SubDir

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

pool-tournaments.gl.at.ply.gg:7445

Mutex

65449e22560e51e0740c2a10dc6c9c59

Attributes

reg_key
65449e22560e51e0740c2a10dc6c9c59
splitter
|'|'|

Extracted

Family

xworm

Version

5.0

event-dollar.gl.at.ply.gg:42627

Mutex

Vu8KDOzYd19RAWuh

Attributes

Install_directory
%ProgramData%
install_file
Desktop Window Manager.exe
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

100.40.188.115:443

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

6.tcp.eu.ngrok.io:12925

stuff-data.gl.at.ply.gg:54296

Mutex

hDtjdONRXVCh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://preside-comforter.sbs/api

https://savvy-steereo.sbs/api

https://copper-replace.sbs/api

https://record-envyp.sbs/api

https://slam-whipp.sbs/api

https://wrench-creter.sbs/api

https://looky-marked.sbs/api

https://plastic-mitten.sbs/api

https://voter-screnn.cyou/api

Extracted

Family

risepro

3.36.173.8:50500

Extracted

Family

darkvision

acuweld.ddns.net

Targets

- Target
  
  241212-wymq6ssnat_pw_infected.zip
- Size
  
  8KB
- MD5
  
  46e1dda34049ae02d12417a9ca4254a8
- SHA1
  
  a9f38b7196980f20c3fee1172538db73f2065284
- SHA256
  
  ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2
- SHA512
  
  92f17e843d624c20ad16360ed855ff1c02895379a83bd2054374f0a6f9ee3697cdee1b4d38b3833bd2c784f45504541729c29c66275eaa7f137d6d47ab340afb
- SSDEEP
  
  192:bxH3A0QJWWqMk3Vp/c8hUwuz4TV3JYih6wEpby+Od7/60i2j:bxHNpfVl2bzFWDE9o/60p
Score

10^/10

asyncrat darkvision lumma metasploit mimikatz njrat quasar risepro vidar xmrig xworm default helper atanka office office04 svchost.exe backdoor credential_access defense_evasion discovery evasion execution miner persistence privilege_escalation rat spyware stealer themida trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Risepro family
  risepro
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- mimikatz is an open source tool to dump credentials on Windows
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1