asyncrat

General

Target

http://google.com
Sample

250107-yr5drayjer

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

77.105.166.57:7000

Mutex

s7mg2orn5bDic4mI

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

91.92.254.40:4782

Mutex

56928f7b-c5c9-4b24-af59-8c509ce1d27e

Attributes

encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows System
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

C2

87.120.113.179:7000

Mutex

V4yRYee7YjNUwhyu

Attributes

Install_directory
%AppData%
install_file
WindowsDefender.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

C2

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

C2

dez345-37245.portmap.host:37245

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Targets

- Target
  
  http://google.com
Score

10^/10

asyncrat quasar stormkitty xworm java main office04 defense_evasion discovery execution persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1