General
-
Target
4363463463464363463463463.exe.zip
-
Size
4KB
-
Sample
250114-pwhacaykaz
-
MD5
7b2b0ccc6317a6becadaf5e02311202e
-
SHA1
ccad99b8fad61369101e068f0c3a5bec9cfa309f
-
SHA256
bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8
-
SHA512
b7af04ee0792d2a13ffd7013e7c5f98cf037f06f8597e4f3261af04252137483ff7fcb7db28c60a543f130ac65307cd1c7a831c2267fa78a91f9acdcc535744a
-
SSDEEP
96:ALOzCoGgabugh2Yu8fjMIsSv3JGHUrD5gf2jxkS7xQIKWV7YNgGptaT+YaL:ALObGgabf88jgcxR1NWIXWgGpo74
Malware Config
Extracted
quasar
1.4.1
Office04
104.251.123.245:23600
4119a2e0-4ae4-4843-8534-99af91a2475d
-
encryption_key
DF6316067206E09C1F85138FCEBD56F5D94BF6AE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Extracted
metasploit
windows/shell_reverse_tcp
127.0.0.1:443
Extracted
quasar
1.4.1
RAT 5 (EPIC VERISON)
serveo.net:11453
7a1301f7-dc6f-4847-a8ee-ca627a9efa0f
-
encryption_key
3B793156AD6D884F51309D0E992DAA75D03D2783
-
install_name
Application Frame Host.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Extracted
asyncrat
Default
forums-appliances.gl.at.ply.gg:1962
-
delay
1
-
install
true
-
install_file
windows.exe
-
install_folder
%AppData%
Extracted
cobaltstrike
http://152.67.212.187:443/accelerate/irc/Z0LCY5JYZL5
-
user_agent
Accept: application/xml, image/*, application/json Accept-Language: nl-be Accept-Encoding: gzip, * User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Extracted
quasar
1.4.1
newoffice
117.18.7.76:3782
d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc
-
encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Targets
-
-
Target
4363463463464363463463463.exe.bin
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1