General
-
Target
2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom
-
Size
30.0MB
-
Sample
250331-haq7ssvsbz
-
MD5
1828b02b97d21e257f5f31fba43c92e9
-
SHA1
35d8309d87dc1abab6f1c808f5753960cdc50c04
-
SHA256
dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0
-
SHA512
36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c
-
SSDEEP
786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j
Malware Config
Extracted
asyncrat
0.5.8
Default
197.48.105.157:5505
41.233.14.164:5505
197.48.230.161:5505
102.41.58.213:5505
q0nJ1vo1fsSD
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
102.41.58.213:5505
1e97a2db-0622-4c39-84ac-2f640c70aaf5
-
encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom
-
Size
30.0MB
-
MD5
1828b02b97d21e257f5f31fba43c92e9
-
SHA1
35d8309d87dc1abab6f1c808f5753960cdc50c04
-
SHA256
dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0
-
SHA512
36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c
-
SSDEEP
786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1