asyncrat

Target

4363463463464363463463463.exe.zip
Size

4KB
Sample

250116-v27eba1lew
MD5

7b2b0ccc6317a6becadaf5e02311202e
SHA1

ccad99b8fad61369101e068f0c3a5bec9cfa309f
SHA256

bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8
SHA512

b7af04ee0792d2a13ffd7013e7c5f98cf037f06f8597e4f3261af04252137483ff7fcb7db28c60a543f130ac65307cd1c7a831c2267fa78a91f9acdcc535744a
SSDEEP

96:ALOzCoGgabugh2Yu8fjMIsSv3JGHUrD5gf2jxkS7xQIKWV7YNgGptaT+YaL:ALObGgabf88jgcxR1NWIXWgGpo74

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
92.205.169.3
Port:
21
Username:
ftp
Password:
7777777

Extracted

Family

xworm

Version

5.0

educational-reform.gl.at.ply.gg:49922

week-dictionary.gl.at.ply.gg:12466

Mutex

f7JwPon0oNXMyPPf

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

Crypt

185.225.73.67:1050

Attributes

audio_folder
576ruythg6534trewf
audio_path
%WinDir%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
76y5trfed675ytg.exe
copy_folder
kjhgfdc
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
654ytrf654trf654ytgref.dat
keylog_flag
false
keylog_folder
67yrtg564tr6754yter
mouse_option
false
mutex
89765y4tergfw6587ryute-80UMP1
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
67y4htergf65trgewfd654tyrfg
screenshot_path
%Temp%
screenshot_time
10
startup_value
6754ytr756ytr7654yretg8765uyt
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Extracted

Family

lumma

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://aqua-tic-draco.cyou/api

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://ponintnykqwm.shop/api

https://scriptyprefej.store/api

https://navygenerayk.store/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Iwantusamo

98.51.190.130:20

Mutex

de054988-dbed-49f6-834a-dda51ccd494b

Attributes

encryption_key
28DB6A992E078CF6FE82A1042CC979D37C6466CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

3.0

notes-congress.gl.at.ply.gg:24370

Mutex

xfgLgucyz0P7wfhC

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

@glowfy0

91.214.78.86:1912

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

discordrat

Attributes

discord_token
MTAyOTM3NzcyMzcxNTU1OTQ2NA.G7rtDA.iVKPgXW9sMwRqiFimO_Rdc0nXAigNycwugkM4k
server_id
696661218521251871

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

14.243.221.170:3322

192.168.0.14:4343

Mutex

ynBzTukwLg8N

Attributes

delay
3
install
false
install_file
Clean.bat
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

botnet

165.227.31.192:22069

193.161.193.99:64425

193.161.193.99:60470

Mutex

713051d4-4ad4-4ad0-b2ed-4ddd8fe2349d

Attributes

encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
install_name
System.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Office
subdirectory
Winrar

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.79:4782

0.tcp.in.ngrok.io:14296

Mutex

956eafb2-7482-407b-bff4-d2b57a1c3d75

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

qrpn9be.localto.net:2810

Mutex

fc5edab1-6e8f-4963-98aa-bd077e08750f

Attributes

encryption_key
F749DCAC94A1FC3102D2B0CFBBFCB76086F86568
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a7

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

stealc

Botnet

QQtalk1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Targets

- Target
  
  4363463463464363463463463.exe.bin
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

asyncrat dcrat discordrat lumma metasploit mimikatz modiloader njrat quasar redline remcos rhadamanthys stealc systembc vidar xworm @glowfy0 botnet crypt default iwantusamo office office04 qqtalk1 runtimebroker zjeb backdoor defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller rat rootkit spyware stealer themida trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Modiloader family
  modiloader
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Systembc family
  systembc
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- DCRat payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ModiLoader Second Stage
- mimikatz is an open source tool to dump credentials on Windows
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Contacts a large (896) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1