Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

  Score

  10^/10

  quasaroffice04discoveryspywaretrojanupxasyncratinfinitylockdefaultsgvpransomwareratdcratvidarb1d953ef7170b7533c12ec48f4e2dfdckysdefense_evasioninfostealerpersistenceprivilege_escalationpyinstallerstealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat

  • Dcrat family

    dcrat

  • Detect Vidar Stealer

    stealer

  • InfinityLock Ransomware

    Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

    ransomwareinfinitylock

  • Infinitylock family

    infinitylock

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar

  • Quasar family

    quasar

  • Quasar payload

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Async RAT payload

    rat

  • Adds policy Run key to start application

    persistence

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2behavioral3