Resubmissions
24-01-2025 01:23
250124-br1z1asnhz 1024-01-2025 00:12
250124-ag75wssjak 1028-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 3General
-
Target
Downloaders.zip
-
Size
12KB
-
Sample
250124-br1z1asnhz
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
quasar
1.4.1
rat1
unitedrat.ddns.net:4782
5100ab61-a5a5-407f-af55-9e7766b9d637
-
encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
-
install_name
System32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System32
-
subdirectory
System32
Extracted
njrat
im523
Client
127.0.0.1:2022
220fe34d4dcc4a99fe35d2fb7ce78939
-
reg_key
220fe34d4dcc4a99fe35d2fb7ce78939
-
splitter
|'|'|
Extracted
quasar
1.4.1
main-pc
192.168.100.2:4444
979e9520-ec25-48f6-8cd4-516d1007358f
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
main-pc.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Service
-
subdirectory
SubDir
Extracted
xworm
147.185.221.22:47930
127.0.0.1:47930
127.0.0.1:6000
103.211.201.109:6000
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
stealc
QQkakaos
http://185.216.71.4
-
url_path
/feed7c30357659ed.php
Extracted
quasar
1.4.0
Target
127.0.0.1:6070
affasdqa.ddns.net:6070
haffasdqa.duckdns.org:6070
670d21b7-71ed-4958-9ba7-a58fa54d8203
-
encryption_key
25B2622CE0635F9A273AB61B1B7D7B94220AC509
-
install_name
svhoste.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhoste
-
subdirectory
SubDir
Extracted
azorult
http://195.245.112.115/index.php
Extracted
quasar
1.4.1
RuntimeBroker
qrpn9be.localto.net:2810
fc5edab1-6e8f-4963-98aa-bd077e08750f
-
encryption_key
F749DCAC94A1FC3102D2B0CFBBFCB76086F86568
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
a7
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
SolaraFake
anyone-blogging.gl.at.ply.gg:22284
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows.exe
-
install_folder
%Temp%
Extracted
quasar
1.4.1
Windows Client
148.163.102.170:4782
4c18e02c-7c39-4a5e-bbef-16fe13828101
-
encryption_key
73B0A3AC50C78E243EA93BF9E60C9BC63D63CA26
-
install_name
Sever Startup.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Startup
-
subdirectory
Windows Startup
Extracted
quasar
1.4.1
Office04
73.62.14.5:4782
192.168.1.79:4782
0.tcp.in.ngrok.io:14296
193.161.193.99:20466
3aaa11be-d135-4877-a61e-c409c29a7a60
-
encryption_key
BC9162791FD860195CF75664AE64885B64D5B5CE
-
install_name
Client1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Extracted
xworm
3.1
profile-indians.gl.at.ply.gg:39017
172.86.108.55:7771
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
xworm
5.0
137.184.74.73:5000
WlO6Om8yfxIARVE4
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/7G6zzQwJ
Extracted
metasploit
windows/reverse_tcp
157.173.120.37:4444
140.238.122.17:1998
Extracted
remcos
RemoteHost
stopeet.camdvr.org:2404
amalar.camdvr.org:2404
prosir.casacam.net:2404
dash.3utilities.com:2404
dash1.3utilities.com:2404
dash2.ddns.net:2404
bash.mywire.org:2404
bash1.accesscam.org:2404
dash3.ddns.net:2404
dash4.ddns.net:2404
bash2.accesscam.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
abj.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
b2bhdjdhbvduhdi3ed-F3Q5YI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
0.tcp.eu.ngrok.io:16872
ef9410a92d1077d89c94b9208aa74f96
-
reg_key
ef9410a92d1077d89c94b9208aa74f96
-
splitter
|'|'|
Extracted
quasar
1.4.1
bot
wexos47815-61484.portmap.host:61484
06e2bb33-968c-4ca7-97dc-f23fbd5c3092
-
encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
-
install_name
msinfo32.exe
-
log_directory
Update
-
reconnect_delay
3000
-
startup_key
Discordupdate
-
subdirectory
dll32
Extracted
quasar
1.4.1
VM-KU
adidya354-21806.portmap.host:21806
cf7c4d30-a326-47cc-a5f0-5a19aa014204
-
encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
-
install_name
Windows Shell Interactive.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Shell Interactive
Extracted
asyncrat
A 13
Default
163.172.125.253:333
AsyncMutex_555223
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Esco Private rat
Default
93.123.109.39:4449
bcrikqwuktplgvg
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.1
ROBLOX EXECUTOR
192.168.50.1:4782
10.0.0.113:4782
LETSQOOO-62766.portmap.host:62766
89.10.178.51:4782
90faf922-159d-4166-b661-4ba16af8650e
-
encryption_key
FFEE70B90F5EBED6085600C989F1D6D56E2DEC26
-
install_name
windows 3543.exe
-
log_directory
roblox executor
-
reconnect_delay
3000
-
startup_key
windows background updater
-
subdirectory
windows updater
Extracted
quasar
1.3.0.0
School
gamwtonxristo.ddns.net:1717
QSR_MUTEX_M3Vba1npfJg3Ale25C
-
encryption_key
VtojWKM7f1XyCVdB41wL
-
install_name
comctl32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Startup Scan
-
subdirectory
Windows Defender
Extracted
asyncrat
0.5.8
Default
2.tcp.eu.ngrok.io:19695
gonq3XlXWgiz
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Detect Xworm Payload
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Njrat family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Njrat family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Adds policy Run key to start application
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1