asyncrat

Target

New Text Document.exe.zip
Size

1KB
Sample

250127-2gt2taxpgv
MD5

0206983f12db26f622bbe73b165f126f
SHA1

e71f9fc602245a337f728e27917b0b716d3828f9
SHA256

6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
SHA512

296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes

encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
install_name
powerstealer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes

encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

45.141.26.234:7000

Attributes

Install_directory
%ProgramData%
install_file
Java Update(32bit).exe

Extracted

Family

smokeloader

Version

2017

http://dogewareservice.ru/

Extracted

Family

xworm

Version

3.1

Mutex

h5HhCg9MKR6vgFJb

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/djZsmRNC

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Program

tuna91.duckdns.org:1604

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
system.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

Mutex

WlO6Om8yfxIARVE4

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/7G6zzQwJ

aes.plain

Extracted

Family

lumma

https://toppyneedus.biz/api

Targets

- Target
  
  New Text Document.exe.zip
- Size
  
  1KB
- MD5
  
  0206983f12db26f622bbe73b165f126f
- SHA1
  
  e71f9fc602245a337f728e27917b0b716d3828f9
- SHA256
  
  6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
- SHA512
  
  296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc
Score

10^/10

asyncrat dcrat lumma quasar smokeloader vidar xworm office04 powerstealer prudabackend system program backdoor defense_evasion discovery execution infostealer persistence phishing privilege_escalation rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  defense_evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2