asyncrat

Target

4363463463464363463463463.exe.zip
Size

4KB
Sample

250116-v1g32a1qfk
MD5

7b2b0ccc6317a6becadaf5e02311202e
SHA1

ccad99b8fad61369101e068f0c3a5bec9cfa309f
SHA256

bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8
SHA512

b7af04ee0792d2a13ffd7013e7c5f98cf037f06f8597e4f3261af04252137483ff7fcb7db28c60a543f130ac65307cd1c7a831c2267fa78a91f9acdcc535744a
SSDEEP

96:ALOzCoGgabugh2Yu8fjMIsSv3JGHUrD5gf2jxkS7xQIKWV7YNgGptaT+YaL:ALObGgabf88jgcxR1NWIXWgGpo74

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

0.tcp.us-cal-1.ngrok.io:11837

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Manager

serveo.net:11453

Mutex

a851cc5b-e50f-4270-9929-06c6323cdb3d

Attributes

encryption_key
5A3C537E5FB2739D5B2468FC37915D58EF4AC5EA
install_name
Runtime broker.exe
log_directory
Microsoftsessential
reconnect_delay
3000
startup_key
Runtime broker
subdirectory
Microsoft_Essentials

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

0.tcp.eu.ngrok.io:15174

0.tcp.in.ngrok.io:10147

172.204.136.22:1604

Mutex

aNoM7pvDUvoo

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

127.0.0.1:48990

147.185.221.22:48990

163.5.215.245:9049

Attributes

Install_directory
%Userprofile%
install_file
svchostt.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

82.117.243.110:5173

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

stealc

Botnet

QQtalk1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

xworm

Version

3.0

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ct3KF8KR

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://ponintnykqwm.shop/api

Extracted

Family

stealc

Botnet

Voov2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Targets

- Target
  
  4363463463464363463463463.exe.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat lockbit lumma quasar stealc vidar xworm a21440e9f7223be06be5f5e2f94969c7 default helper atanka manager office office04 qqtalk1 voov2 discovery evasion execution persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Rule to detect Lockbit 3.0 ransomware Windows payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1