asyncrat

Target

Downloaders.zip
Size

12KB
Sample

250205-gabxfatmcq
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

193.161.193.99:35184

67.205.154.243:35184

Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes

encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS Build Tools
subdirectory
Microsoft-Build-Tools

Extracted

Family

quasar

Version

1.4.1

Botnet

Sigorta

0.0.0.0:7777

13.48.129.198:7777

172.31.0.240:7777

Mutex

3b0592fc-14a1-4b8e-9803-69284ea2b6d2

Attributes

encryption_key
E0BB4B221F7AADA73B9059B33A3CFF096A518413
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

redline

Botnet

letsgo

45.67.231.189:29738

Attributes

auth_value
3ad9a91465fa623a2f1ebd7f46ad2e47

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

test

otrodia8912.gleeze.com:3333

Mutex

123

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

0.tcp.in.ngrok.io:18220

Mutex

HyFTucy74RnH

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

news

45.144.28.250:26912

Attributes

auth_value
e61921786ce9e1a6b356c82b24803f6d

Extracted

Family

xworm

45.141.26.234:7000

0.tcp.in.ngrok.io:15792

91.92.249.37:9049

Attributes

Install_directory
%ProgramData%
install_file
Java Update(32bit).exe

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.87.154.103:4782

45.87.154.103:5552

Mutex

xPl9J65qwy6F7knuP1

Attributes

encryption_key
4LFQYlAO6OyQ4AmLb0N7
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

sigorta

18.198.25.148:1604

Mutex

af7e773d-541a-46fd-87d3-06bb0a26aab9

Attributes

encryption_key
D306945220105109C86E6E257D749CE885E76091
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Extracted

Family

xworm

Version

5.0

me-work.com:7008

Mutex

6WiNy50p5NrI46Pe

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Downloaders.zip
- Size
  
  12KB
- MD5
  
  94fe78dc42e3403d06477f995770733c
- SHA1
  
  ea6ba4a14bab2a976d62ea7ddd4940ec90560586
- SHA256
  
  16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
- SHA512
  
  add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
- SSDEEP
  
  384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score

10^/10

asyncrat azorult nanocore quasar redline vidar xworm bot default letsgo news office office04 sigorta test bootkit defense_evasion discovery execution infostealer keylogger persistence privilege_escalation pyinstaller rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1