asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

4363463463464363463463463.zip
Size

4KB
Sample

250127-21scbsylht
MD5

cfc7f9845dbf6737f2f7984f4c506ad8
SHA1

8bf430e204e7531953bc03631c0ebf68412a063b
SHA256

8f56584766e1e447c0436b9f7ef4ac2ecd7424715feb08fc6d99e6c176217c81
SHA512

0ed3bc3abcfdd06769822f211a3497d4c77fa78dcd9704adb37a4b2b609cc5001ced23aa29e7c2bd1ce40e2c71b2807d22bc704cb01fe50acb9e3c7cefd828a9
SSDEEP

96:+WBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEvQ:+WBfwncSf8Cv3w9DZjKXjmBIKEvLs97f

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

interestingsigma.hopto.org:20

0.tcp.us-cal-1.ngrok.io:15579

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr

Extracted

Family

xworm

Version

5.0

enter-sierra.gl.at.ply.gg:55389

Mutex

lzS6Ul7Mo5UcN6CR

Attributes

Install_directory
%AppData%
install_file
Wave.exe

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

quasar

Version

1.4.1

Botnet

botnet

165.227.31.192:22069

193.161.193.99:64425

193.161.193.99:60470

Mutex

713051d4-4ad4-4ad0-b2ed-4ddd8fe2349d

Attributes

encryption_key
684009117DF150EF232A2EE8AE172085964C1CF0
install_name
System.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Office
subdirectory
Winrar

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

38.240.58.195:6606

14.243.221.170:3322

0.tcp.in.ngrok.io:10147

Mutex

mndjZ3XYTW62

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:5173

82.117.243.110:5173

Mutex

QYKKiqqJ0K2HqPP0Mo

Attributes

encryption_key
rFGYI3uEIwvomle2u8mk
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

stealc

Botnet

7140196255

http://83.217.209.11

Attributes

url_path
/fd2453cf4b7dd4a4.php

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

asyncrat

Version

Esco Private rat

Botnet

Default

93.123.109.39:4449

Mutex

bcrikqwuktplgvg

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  4363463463464363463463463.zip
- Size
  
  4KB
- MD5
  
  cfc7f9845dbf6737f2f7984f4c506ad8
- SHA1
  
  8bf430e204e7531953bc03631c0ebf68412a063b
- SHA256
  
  8f56584766e1e447c0436b9f7ef4ac2ecd7424715feb08fc6d99e6c176217c81
- SHA512
  
  0ed3bc3abcfdd06769822f211a3497d4c77fa78dcd9704adb37a4b2b609cc5001ced23aa29e7c2bd1ce40e2c71b2807d22bc704cb01fe50acb9e3c7cefd828a9
- SSDEEP
  
  96:+WBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEvQ:+WBfwncSf8Cv3w9DZjKXjmBIKEvLs97f
Score

10^/10

asyncrat metasploit netsupport quasar rhadamanthys stealc vidar xmrig xworm 7140196255 botnet default office office04 aspackv2 backdoor bootkit collection defense_evasion discovery execution miner persistence phishing privilege_escalation pyinstaller rat spyware stealer themida trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Netsupport family
  netsupport
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1