Overview

overview

10

Static

static

3

Downloads.exe

windows7-x64

10

Downloads.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloads.exe

  • Size

    11.1MB

  • Sample

    250331-cgl9jatmz6

  • MD5

    03443b92e798c949af90c1afc59be60b

  • SHA1

    a860455aa51306f6563ec1091db8bbebb1afc672

  • SHA256

    da88e9a029e6335e992a131cd0e4cc60c28a3cdad23d628d54db770ee694ace5

  • SHA512

    eaf0ff832c28c06d413e6200538f4f3d264c919850eee72a9f9cccd3480a07aeff0ae8bc2d00af8ab66924707e7aca8cf0c237ca2e157478271ef5d68d9764b3

  • SSDEEP

    196608:zzXuVy7rxVoq0Rw3b/kiZOjI5oiYwrFdF8jr1N6NforhRiVtl7X/LDouPs1sjPPZ:eopVofYjxFYwrFdFK1N8fo2VL7vLDQqZ

Score
10/10
asyncratquasarumbralxmrigdefaultoffice04discoveryexecutionminerratspywarestealertrojanupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505
Mutex

RW4mawavalFO

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes
  • encryption_key

    1F6CCF154B4C85A58D675CA9A482E9C7A041C879

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      Downloads.exe

    • Size

      11.1MB

    • MD5

      03443b92e798c949af90c1afc59be60b

    • SHA1

      a860455aa51306f6563ec1091db8bbebb1afc672

    • SHA256

      da88e9a029e6335e992a131cd0e4cc60c28a3cdad23d628d54db770ee694ace5

    • SHA512

      eaf0ff832c28c06d413e6200538f4f3d264c919850eee72a9f9cccd3480a07aeff0ae8bc2d00af8ab66924707e7aca8cf0c237ca2e157478271ef5d68d9764b3

    • SSDEEP

      196608:zzXuVy7rxVoq0Rw3b/kiZOjI5oiYwrFdF8jr1N6NforhRiVtl7X/LDouPs1sjPPZ:eopVofYjxFYwrFdFK1N8fo2VL7vLDQqZ

    Score
    10/10
    asyncratquasarumbralxmrigdefaultoffice04discoveryminerratspywarestealertrojanupxexecution

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Umbral payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • XMRig Miner payload

      miner

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks