General
-
Target
Downloads.exe
-
Size
30.1MB
-
Sample
250401-ven98asvhw
-
MD5
3624bd0bf249251bf3c192d5afd5bad6
-
SHA1
26012719a8cee420458379a41fb996b6c07d333c
-
SHA256
327f7f4160e91e315dda4e2262069dc59e5ac0f02597edff4745f411c5539a2b
-
SHA512
6024ad15908b2e55fc67cb95492a1e19e87967ac112429cf3ddcccebe213709f48c9924830a11c8e7b14a99fbe685670439afae029fec57d946d30c4ff3c845a
-
SSDEEP
786432:7KmFxGF3khP1kGYJh5WcR0SGnCP+RFYwrF08f3l3Dm:7KUGUPCJnWqDP+RFV3Vm
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1351636927945773187/88tTz3UMDAtPvvQfa85ceF1esIJl0H0ABXGF8SNnaWGzRAHp0WTPq4leWF6Dc8Bk4h30
Extracted
asyncrat
0.5.8
Default
197.48.105.157:5505
41.233.14.164:5505
197.48.230.161:5505
102.41.58.213:5505
8HHJTNFFqpYd
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
102.41.58.213:5505
f7a111eb-1714-492a-a8b6-f4b0e81e77e0
-
encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
Downloads.exe
-
Size
30.1MB
-
MD5
3624bd0bf249251bf3c192d5afd5bad6
-
SHA1
26012719a8cee420458379a41fb996b6c07d333c
-
SHA256
327f7f4160e91e315dda4e2262069dc59e5ac0f02597edff4745f411c5539a2b
-
SHA512
6024ad15908b2e55fc67cb95492a1e19e87967ac112429cf3ddcccebe213709f48c9924830a11c8e7b14a99fbe685670439afae029fec57d946d30c4ff3c845a
-
SSDEEP
786432:7KmFxGF3khP1kGYJh5WcR0SGnCP+RFYwrF08f3l3Dm:7KUGUPCJnWqDP+RFV3Vm
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Umbral payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1