General

  • Target

    2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom

  • Size

    30.0MB

  • Sample

    250331-haq7ssvsbz

  • MD5

    1828b02b97d21e257f5f31fba43c92e9

  • SHA1

    35d8309d87dc1abab6f1c808f5753960cdc50c04

  • SHA256

    dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0

  • SHA512

    36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c

  • SSDEEP

    786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505

Mutex

q0nJ1vo1fsSD

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain
1
x5ZeweKx3z9MHp2LuBysnAxIgfi2boyf

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes
  • encryption_key

    1F6CCF154B4C85A58D675CA9A482E9C7A041C879

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom

    • Size

      30.0MB

    • MD5

      1828b02b97d21e257f5f31fba43c92e9

    • SHA1

      35d8309d87dc1abab6f1c808f5753960cdc50c04

    • SHA256

      dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0

    • SHA512

      36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c

    • SSDEEP

      786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.