asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.zip.zip
Size

394KB
Sample

250120-w3e7wssng1
MD5

22872ef7f39c6c03422b358f867e69b7
SHA1

263dbd53bf3e6766a11e0a0ce896e708be807aa0
SHA256

12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
SHA512

d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817
SSDEEP

12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

exchange-reasonably.gl.at.ply.gg:30620

Mutex

f41ac0c2ea25f3f8b0a75a7371d6b015

Attributes

reg_key
f41ac0c2ea25f3f8b0a75a7371d6b015
splitter
|'|'|

Extracted

Family

xworm

return-carol.gl.at.ply.gg:53275

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

70.34.210.80:4782

192.168.1.203:4782

Mutex

0d965223-b478-41be-af32-ad5a13d78eba

Attributes

encryption_key
EBD92C218F947CFB9F2E27885F8DFFEAE9079F05
install_name
MSWinpreference.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Skype
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

69.160.242.105:4782

69.160.242.105:11066

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

137.184.144.245:4782

Mutex

66661e0f-33c3-4f2f-88be-1634de535cd1

Attributes

encryption_key
CBED6820557E8011D93BA51D49F569DE8C1F98B4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

wzchqtvtkfun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://infect-crackle.cyou/api

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

stealc

Botnet

QQtalk1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

Voov

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

xworm

Version

5.0

educational-reform.gl.at.ply.gg:49922

Mutex

f7JwPon0oNXMyPPf

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

metasploit

Version

windows/reverse_tcp

167.250.49.155:445

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Extracted

Family

stealc

Botnet

7140196255

http://83.217.209.11

Attributes

url_path
/fd2453cf4b7dd4a4.php

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  764KB
- MD5
  
  85e3d4ac5a6ef32fb93764c090ef32b7
- SHA1
  
  adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
- SHA256
  
  4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
- SHA512
  
  a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
- SSDEEP
  
  12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Score

10^/10

asyncrat dcrat lumma njrat quasar venomrat xred xworm default hacked office04 backdoor defense_evasion discovery execution infostealer persistence privilege_escalation rat spyware stealer trojan vmprotect metasploit stealc troldesh vidar 41d35cbb974bc2d1287dcd4381b4a2a8 7140196255 office qqtalk1 rat1 voov zjeb ransomware upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- UAC bypass
  defense_evasion trojan
- VenomRAT
  Detects VenomRAT.
  rat
- Venomrat family
  venomrat
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- DCRat payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2