asyncrat

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Sharing

Copy URL

Twitter E-mail

General

Target

archive_61.zip
Size

23.2MB
Sample

250408-rm2nqsvqw2
MD5

bf90b2e0b88eb02563c013b903940fc4
SHA1

cc5c0ff87124055c185058a285a331f5da792a6e
SHA256

4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760
SHA512

c36291747e8f802a94f4668893a387e9e560522d2c26f3c42add65e0b052693c7ed2c26cc9eee3cbbbbae00acc95d95c546b5c918810f170c7dde36f0858b280
SSDEEP

393216:ksNpRraBaHxVlDA8WOrT/n6aXpsxXdXZusNp0FpE5yhuAs7P6RsBC6hSyOMDv2:NlE8WOH//yxNpT0FpE5yQ37P6u86hLBy

Malware Config

Extracted

Family

asyncrat

Version

| nelsontriana980

Botnet

Default

pctrabajonuevo.casacam.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

reftel.ddns.net:54984

127.0.0.1:54984

Mutex

11b132f1-b2d5-4bf6-9166-34aaf514d89a

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-27T18:14:14.261066736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
11b132f1-b2d5-4bf6-9166-34aaf514d89a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
reftel.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

mooonskj.ddns.net:5552

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

holyfuckingshit.zapto.org:1188

Mutex

dbaa10daaecc50e5048d51ecb95a01dd

Attributes

reg_key
dbaa10daaecc50e5048d51ecb95a01dd
splitter
|'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

64815557-7ace-4e24-8254-b4bfa76c68d0

Attributes

encryption_key
4C4CF51A01784F79888EFBAF8D36D0C89B0CFD16
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

latentbot

holyfuckingshit.zapto.org

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7810553983:AAF3uNmTjPchWZALCr5hfHzaUc2KfKr7BrQ/sendMessage?chat_id=8164035448

Extracted

Family

asyncrat

Version

0.4.9G

corporation.warzonedns.com:9341

Mutex

480-28105c055659

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  f5ae5532f18462594d061ae3bdf732b5.exe
- Size
  
  2.0MB
- MD5
  
  f5ae5532f18462594d061ae3bdf732b5
- SHA1
  
  6461c47fabfa10d49f4c87c1e7685b81a2a402be
- SHA256
  
  afc02ea81470653fdfdfa402a5a8718a48617cefdfd811e95b9d0350b8bc9910
- SHA512
  
  81bde60db899576ff3be441021c522e3e14e89c019122fb2fbd4b9647adf19ef7a1f5059dd1b13ca58cc869b8c367bdec7bde3fc1c4729c7fdcb9b402a26c26c
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral1
- Target
  
  f5cb51ffdb87e6d78da4a60b2a83a2c0.exe
- Size
  
  271KB
- MD5
  
  f5cb51ffdb87e6d78da4a60b2a83a2c0
- SHA1
  
  f707cebf3b837c0f5b7724f125a5eb5acf622e6b
- SHA256
  
  cc18af46043434e99591546067f4ac5c031656cc3493d80396c4eb461e2d6cc9
- SHA512
  
  883970f6caecb15195108d25014a5faeaf2a1ce3a0c3f888da7d51bee3ad57f95abdf55a14748e25af39d0697fab6c1ad9fd5958efc2cc14ea279e099baf0610
- SSDEEP
  
  3072:7aaXQh1zKfB0OZpbsxFqc9pI9sjBO1z+5X0uuMmk9b+3ZrQE8Ne5oKk3XsXMSrZS:7aaXMzUmOZoqEIaNOyEObyQEJ5o5eM
Score

10^/10

quasar discovery persistence spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  f5ed1274646abc95fd8b87f43adcadbc.exe
- Size
  
  66KB
- MD5
  
  f5ed1274646abc95fd8b87f43adcadbc
- SHA1
  
  bdc83157a77066f75ae2285455428bdb95246f00
- SHA256
  
  dfc5e3435f8ce62c4ba623753f1e15d0311547b9c0276d34b4736f640be26330
- SHA512
  
  c8616cf6f6c586d3f9b99360ccc3243fc8708a91d7e0fd9df91bcaf644022a60c9c2529c5cd648a5fb5ea6c635c2c922e6ad90ae3741d304b533f139cd2554b3
- SSDEEP
  
  1536:a2wukvF1ak9gcKu5UYFwKMkb7UApZrPlTGZx:a2dkvF1ak9Ku5UYFwdkb7Bdax
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
behavioral3
- Target
  
  f62837f3bc66012b94d74cc471f3d97a.exe
- Size
  
  625KB
- MD5
  
  f62837f3bc66012b94d74cc471f3d97a
- SHA1
  
  9fa01c1c57bb1ec604771a796b4c36352552516f
- SHA256
  
  6831200eb1173e4bf699042b7b2e63e3582490981a55b20671724bb60cb0faa9
- SHA512
  
  de95cd3184e9f9d6931db60a6edd6e986eba3ae0c2e6308e65808aa6fbefd4d00f0d38a4305dc307d0217acdfe8fad165adf7a39d6f553eb53ff81abbb147b6a
- SSDEEP
  
  12288:jQn+P/KKZA6B0Ndprctmm0+xFLnLsoc/8uHlHXob3:W+P/0UWdomC/LnLsoc0uHdX
Score

10^/10

snakekeylogger collection discovery execution keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  f628fa20e85aaf1cc562cfd512392d3d12da2ef70adc31068f1e3d7f2b0a4f3b.exe
- Size
  
  273KB
- MD5
  
  3ef5f71fdec671a56a286ea1866bb640
- SHA1
  
  04e90d67cfb7cb470ea9e6d48f4fc765b0ddb472
- SHA256
  
  f628fa20e85aaf1cc562cfd512392d3d12da2ef70adc31068f1e3d7f2b0a4f3b
- SHA512
  
  5e724aef6ad8258cf23363911fb74780ff9b6cd469c0ba478d72de2d86b295ed63901e89a0a05466b2c9a7925244f6b02aef3ab9d06f325a1301eb3aedd431d2
- SSDEEP
  
  3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s8sdT/u:WFzDqa86hV6uRRqX1evPlwAEdS
Score

10^/10

asyncrat discovery persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  f640f01e808f31a32d455a827fd646d5faf2a452b47833597990ffe9a6597ac5.exe
- Size
  
  373KB
- MD5
  
  1390a05960fe6acd3fd25279513346f0
- SHA1
  
  c65393f72d9e00c770ba3ef393701bc87e13b938
- SHA256
  
  f640f01e808f31a32d455a827fd646d5faf2a452b47833597990ffe9a6597ac5
- SHA512
  
  90c3d8d61687e3bccd9e6e15f6c5f3db6770471878b452f9a11874ea70391eac5639424fd3f4a03de7729d642355fb2e6e0c4e65e3e4765cb76111a7b2de5bcc
- SSDEEP
  
  6144:tyMIULPy/x3xUArN62f7GU7njrbma/3LaQURrM2TuP6zJcW:XDy/xhUAtf7tjrbma7OJxuSzp
Score

7^/10

discovery persistence
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral6
- Target
  
  f66fa3036e662d8f7ccce8795fb8b907.exe
- Size
  
  154KB
- MD5
  
  f66fa3036e662d8f7ccce8795fb8b907
- SHA1
  
  6685873421123f46a8762802b835e2556ad8e5aa
- SHA256
  
  ada4cebb65e8b8b58ecee2c799394b5bad8fa4ebfd3ee7cf8f88c54b93e91b86
- SHA512
  
  49be39d868ab2f268230222e12fbff79ee561641c1b61becba21909a0bb0ce45acae75d55a238c8940484c3b2cf57547105de9247ff5bc9b9af8675cf8eedaff
- SSDEEP
  
  1536:2mZmg5zb02q/t6jOFvDO7slsF9PS24s+lSmSWQWOxzlAuT2oLkC1N5UbsGt3kcmF:JZmCb6ROF96zMq1yLAHtUcmKyN
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral7
- Target
  
  f68f044685639be03fd992bcb711c098d22b6d0f0043638768c726bf96049950.exe
- Size
  
  3.0MB
- MD5
  
  4d16429b31b10c20f707cd5289b2466c
- SHA1
  
  2d81797a275a1e4810e8c9d3c32ffca17adffc76
- SHA256
  
  f68f044685639be03fd992bcb711c098d22b6d0f0043638768c726bf96049950
- SHA512
  
  e69fa3608df519e26d5878f95c29132992e4c1a6744905d2256912d7c40aab11fe903575734a8952791d5898570c634e969b26a62b21bf978acac5878d9615d9
- SSDEEP
  
  49152:NMHHrIxRWPc3wDlRo4LZpsqDXUDBvFHOxoYj80VmXvqvIGg:N4H2RWPc3QlRzLTFDX6VFHOxjj89XvCy
Score

3^/10

discovery
behavioral8
- Target
  
  f6ac1ea5c19284854998f25244a12f25.exe
- Size
  
  654KB
- MD5
  
  f6ac1ea5c19284854998f25244a12f25
- SHA1
  
  99fbd0be6020def40eedb33c453c9e516d39ddb4
- SHA256
  
  10478f3361a6cdb5ce48bf9490ea60505e90ef4f9649973ca35bdcf43af1f4b9
- SHA512
  
  b2415c9af9284eebc053ef56c82ad15043b713d38c6fca1cabdbeff0d726f9f956bf56655c60f0d6ec95ef5150e50da1a539cbef5502dd032399721a545badda
- SSDEEP
  
  12288:slGjIbKjk/x78IANpdqAUJeBrwwsRpIFgVXC0xi8/+b7LegZSv:uGcbKj+d0dzAZVXObfeoG
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral9
- Target
  
  f6b79788476c3806befcdd2dead8231a.exe
- Size
  
  506KB
- MD5
  
  f6b79788476c3806befcdd2dead8231a
- SHA1
  
  56eba5da31c728dc287435a555e527b1a27cae37
- SHA256
  
  9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
- SHA512
  
  f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
- SSDEEP
  
  1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral10
- Target
  
  f6e297800457d823c0597e833d555135.exe
- Size
  
  78KB
- MD5
  
  f6e297800457d823c0597e833d555135
- SHA1
  
  bef99c4a2e1ad4c2c478f156089158cbc624f7d2
- SHA256
  
  da2a754ce56ec13af9f429d5dcd20ff88aadc429a1b0a74d68f217f87e31b42f
- SHA512
  
  69ae7dc2898887531ef8faa9740d56e6e40af3d0bafca4f2c78e4e4a37a643afa731985d9fbb9792ea61fd61927d043356a418be09b5ad1b48c73aec81af1790
- SSDEEP
  
  1536:7V5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6H9/0V1aj:7V5jS+E2EwR4uY41HyvYg9/0g
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral11
- Target
  
  f721adec82fb8994517719b69e8aa337d4619879e64cbd2fd80fc4e190e22c71.exe
- Size
  
  859KB
- MD5
  
  b45837ebf5cd2f6e63284b8a8aa5a3f3
- SHA1
  
  fdf773448014f4c1453ee9e481e7c617cced06d7
- SHA256
  
  f721adec82fb8994517719b69e8aa337d4619879e64cbd2fd80fc4e190e22c71
- SHA512
  
  bdddd11c45e3c811ebdd23b1f9f490b2a59203f7a13b4caee9367946238144dd6812d55eef399cad9815b87f4b5a61e4d3018c6d9d7528a2493404e8a42c3c1f
- SSDEEP
  
  6144:NtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT7a:P6u7+487IFjvelQypyfy7T7a
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  f736c152b3d1812f1142ed0da99e0ac8.exe
- Size
  
  5.9MB
- MD5
  
  f736c152b3d1812f1142ed0da99e0ac8
- SHA1
  
  5df819dd9a3c73b64b33950ecfac1c690fa0f03d
- SHA256
  
  78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
- SHA512
  
  a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
- SSDEEP
  
  98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  f780377dd90d33c8280734d882fc2ac9.exe
- Size
  
  12KB
- MD5
  
  f780377dd90d33c8280734d882fc2ac9
- SHA1
  
  2ca8e1e97f1d9893389ea6f7505fe7c24924b387
- SHA256
  
  d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
- SHA512
  
  ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
- SSDEEP
  
  384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Uses the VBS compiler for execution
behavioral14
- Target
  
  f7a96bf0830c5f7513d65086e0f7eb6679565b6ffdc6d1e325ee21303b38fec8.exe
- Size
  
  16.3MB
- MD5
  
  d32fe3fb50984221124e7fff0ac80a1a
- SHA1
  
  471d011cd362c6b27c2b5e8a031fe012a112a793
- SHA256
  
  f7a96bf0830c5f7513d65086e0f7eb6679565b6ffdc6d1e325ee21303b38fec8
- SHA512
  
  1168ce8efa4050bc761b7665c88dc19c74f3228ff1e5a4431091cde297ce962802d6010158f2be9b81812ea2a6bcaf85829106383fb1467efbde8ee177ec75b0
- SSDEEP
  
  6144:l0WD+E+QaLl/ymeKHhhkJgOY1/9qz9I3/BNmYEBbsJJutJOp:qVOOkJg3lOk/rm9+Ju/
Score

1^/10
behavioral15
- Target
  
  f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe
- Size
  
  135KB
- MD5
  
  5269f6855d30bdd88ba0d88453c8e722
- SHA1
  
  d87ffc99e105315bebfef48296f6b0e6e87ae5cf
- SHA256
  
  f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b
- SHA512
  
  7ab21f5e7d7fd6bb2149b80582bc50711941bce8128c26d48710c8e9a60d3eff153ab3f39696451b1a946da052b3dd2a4de444b9bb9e6bdb884bcbe03f654819
- SSDEEP
  
  1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKE:xPd4n/M+WLcilrpgGH/GwY87mVmIXU
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral16
- Target
  
  f8173be0fb3bebc0120e2cb017eb9922adebbb430734d0363e2d38e28ee47ea4.exe
- Size
  
  551KB
- MD5
  
  1ac86e8c4255955942b4edb5a8acb787
- SHA1
  
  fe54e3650b28e546955ae62eff32c87c5d3c482d
- SHA256
  
  f8173be0fb3bebc0120e2cb017eb9922adebbb430734d0363e2d38e28ee47ea4
- SHA512
  
  0cf48a59624c10566b282b202bc2f8c02e400eea4178ee6e7b0d17c76d2fa87c974a0d19fec41b0547b65b124e68f8d65b39c82a5033cb58ca3daabc282497f6
- SSDEEP
  
  12288:6vqwgObFPVle870XxdD2ndNDXBCx/OJb:6vKBXxdD2dNDXBCx/
Score

1^/10
behavioral17
- Target
  
  f835ddaf4933c7bd4a3aa1f015442bb48b69f863f467dd8d1db09e6f2a427fd7.exe
- Size
  
  203KB
- MD5
  
  78be6e34e084a276a492dca4ab0c244b
- SHA1
  
  ed34261034f95ea92460e82d0af35ffabf6ba7ec
- SHA256
  
  f835ddaf4933c7bd4a3aa1f015442bb48b69f863f467dd8d1db09e6f2a427fd7
- SHA512
  
  298d5bc97c6c47c81bb5eec2985276e078739971ccaebafbb3c289f55daaabb9d3a871682b40caa5fc499635e892be93f51062aa1b903a41487bbd32c98d53ec
- SSDEEP
  
  3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIbjiT05t4Ziu8hBVv4TPcXQZqn:sLV6Bta6dtJmakIM5BGtMMnEcXs7hmk2
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral18
- Target
  
  f846950431f463a0a7e663ea7003e31c.exe
- Size
  
  351KB
- MD5
  
  f846950431f463a0a7e663ea7003e31c
- SHA1
  
  d503a8270aab52268a1668b129be687bba0faedb
- SHA256
  
  4022f2227edc7bd96dfbdc2dd88697774b5f47fa7b50a0098e14dcdf0cc8d4ef
- SHA512
  
  330c48bc86fc75fd0fccd1a04800192c46cea7b1ef1e5e9e39873a4e95c0e8ee766dd9e77a9d6dfc1b3f09c1e1c8833abd5a3c7ae099a2c4a618e35a76696d88
- SSDEEP
  
  6144:YeC4EwZFoobUk8qp0qpgogZfpjkNaXiCEa4+U:8fhuLwflkac
Score

10^/10

defense_evasion evasion execution trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19
- Target
  
  f89219b77e5fde5a7a1581e3e4cc0b00.exe
- Size
  
  294KB
- MD5
  
  f89219b77e5fde5a7a1581e3e4cc0b00
- SHA1
  
  557c9ff996b42056c0531e63ebf5e7d794b23b19
- SHA256
  
  6c8d0a52686544703953357f4d7655e5e1a27a90e2f1aeac9eccdddb618333e5
- SHA512
  
  9ba62300e547e971ff79e4ec0209e07197414071ddf0b90d4a951e06a82f258ab2abcd9653b5fdeb5febe9b6fc8b6a28ce52f7360d94b63283fd0485168b6a40
- SSDEEP
  
  3072:bC6UBkwelNBVB18I8qk49NWa+miRztQYi+GVnkgLmVv3yniVH9T2mZP:bdHvH8+k49wa+LRBQYi+OkgKLVH9T2m
Score

10^/10

mafiaware666 discovery ransomware
- Detect MafiaWare666 ransomware
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Mafiaware666 family
  mafiaware666
- Renames multiple (147) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops desktop.ini file(s)
behavioral20
- Target
  
  f8a3f1d5a1d18a666d9b81a974e212b0.exe
- Size
  
  47KB
- MD5
  
  f8a3f1d5a1d18a666d9b81a974e212b0
- SHA1
  
  035f531e396979a8cde58b592c178d96daa46287
- SHA256
  
  a72f747218f7c4c8a3c47d51dc510daae56df59b626c36b32aa64816a7104487
- SHA512
  
  d9848e80f2b05385f0148e32c7485107753978e066f56833d602ba98c1f0386f62dcd6b3f830ca17da3a934957ef796c542c87fe3a2f30853b0ceaaa18e6b0d2
- SSDEEP
  
  768:Wu/6ZTgoiziWUUM9rmo2qrUgYo2Br/wBPIw7+Vcxti2M0bDQL+m6pqetavz60CNq:Wu/6ZTgle2PgABTpw7+Vcfi4bDPrQL6i
Score

10^/10

asyncrat default discovery rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
behavioral21
- Target
  
  f908d30321810e4c87131f6fea397e39.exe
- Size
  
  2.0MB
- MD5
  
  f908d30321810e4c87131f6fea397e39
- SHA1
  
  31c5d474199c401dece4934cf3fe6c9159c36097
- SHA256
  
  876d81ff40086b50fc13a3f7e3a6789ec7671a261ef4b6639611e205eb8ad715
- SHA512
  
  b449207f9bfd37aa4bc27b698b5f0a8540c0347d5216ee52ef8c97f46b819ad1fb2fd8480b50ca6a251c36798701cd67f5200abc72e939e8607a7416ae33f51f
- SSDEEP
  
  49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral22
- Target
  
  f926cc363c27c542c23e14398096eda8.exe
- Size
  
  1.9MB
- MD5
  
  f926cc363c27c542c23e14398096eda8
- SHA1
  
  03442d6ea4a9acd36987b916ffe0261810e6dbfd
- SHA256
  
  ec0c9de9d6eef69bfe2c220f21971d4acc91004194cd8cf993a2bd34a04e31df
- SHA512
  
  581d105843a37d51aed86b071aed97c4188cb4bc8aed8b8c9bd9f7c297d5b3ba79d1d93f0a3d9bb5da89dbb445385838f7df229bec27b36d46b13757eb16491f
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral23
- Target
  
  f947bf8f07543c9beae3fdba615ba1dd.exe
- Size
  
  784KB
- MD5
  
  f947bf8f07543c9beae3fdba615ba1dd
- SHA1
  
  abbb9d1fdca37cbb2b19e4cd275fb48a6ce49118
- SHA256
  
  12386309263eabae4e6435bd13586f4964195b0fc7a5435a26eeb1d0d21b589a
- SHA512
  
  a9732511b6e4e89c48de8a1305973d18be50b01eeb8572c7523399af78648d072c3f31f17de905e96d59508fcbda3d9a9b1cbaf64e799f59267f8055ec3f8a77
- SSDEEP
  
  6144:FtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKHZ:X6u7+487IFjvelQypyfy7cnKHZ
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral24
- Target
  
  f97418dbfcdd3f6d26c6cad46d16ec06.exe
- Size
  
  2.1MB
- MD5
  
  f97418dbfcdd3f6d26c6cad46d16ec06
- SHA1
  
  6a27ff3bd4f16221eb56f00bd0618c33ebd77973
- SHA256
  
  a1d077893568830b15dbf3996ed1a5c53a32314f128663539032289c686e61db
- SHA512
  
  959257a8be5831e26baab82a6df907ad9c796f181d74f02baf3c05eef102122606610e08a815bba73da9a24251555136b636c943a59f375f26609827bdda210e
- SSDEEP
  
  49152:q/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral25
- Target
  
  f98ee08aed6b41b1f9e6e1ca752d22cc.exe
- Size
  
  1.9MB
- MD5
  
  f98ee08aed6b41b1f9e6e1ca752d22cc
- SHA1
  
  0ad8d0bac5c76e5f79ba872cf3ae18a6717ee6dd
- SHA256
  
  82db60e8849ee07cae78c7f49afbbed2e3544618bfcd5d01daf09b120e97b1e0
- SHA512
  
  63dcfc32399062ec5bb65a3a579c75a86bd80bc9bae28d63ff5df3510ef319a5e3237629fcea17232cdbaf96bca0347cd8d8b7669698188cbf08bdc2f3caed5a
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral26
- Target
  
  f990d850e111bf361124a5a27c29b5634503f2c8f2c710bbf0693bd4f557f5f8.exe
- Size
  
  3.3MB
- MD5
  
  54681d828ea105cc3603c08eb985dd5b
- SHA1
  
  6958c3b1c8ab17e3e574f2ed899d02e0e97ae32d
- SHA256
  
  f990d850e111bf361124a5a27c29b5634503f2c8f2c710bbf0693bd4f557f5f8
- SHA512
  
  e8f62f02e5b81f4d6384b5289ff9e358297559b92f7519a991ad14de14907adb390a014434210f759d0ee8a6290dee8c5bb9a10ec3addcf614b02f7caddd6e25
- SSDEEP
  
  98304:RRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/0:Rkj8NBFwxpNOuk2H
Score

8^/10

defense_evasion execution spyware stealer
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral27
- Target
  
  f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
- Size
  
  1.6MB
- MD5
  
  52e4554ec87085ec0d31bca66d35df00
- SHA1
  
  3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
- SHA256
  
  f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
- SHA512
  
  04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
- SSDEEP
  
  24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral28
- Target
  
  f9a573b21a7be92000f27a3802bb3518.exe
- Size
  
  37KB
- MD5
  
  f9a573b21a7be92000f27a3802bb3518
- SHA1
  
  f1d683fa18e0877c057d201e9af7b518ae82c7d0
- SHA256
  
  8b4ae69ee8e9c474995753217333a2e9257b0c5131e811c6c0abedc8f19877ce
- SHA512
  
  6467c1c32ccce29cee3e70fa02dc1b19519464e0ae6089570fae5dd77ed8dd4745808fe40f251a2e19c21aebea4fd27aaa8c0c96a065a1a4dba896fcb220b334
- SSDEEP
  
  384:b/iH4qi0/JZtbH9KyM+2bzmgHvis2gbjrAF+rMRTyN/0L+EcoinblneHQM3epzXW:Li7J95M+2b6g6tgnrM+rMRa8NuKft
Score

10^/10

latentbot defense_evasion discovery persistence privilege_escalation trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral29
- Target
  
  fa0d8e0c80c4d5be75d4ff442d6a85ea4750bffb3526d4d2d3b2e03f3ccfb28e.exe
- Size
  
  3.1MB
- MD5
  
  0284698569314699a47d0ed2411da31d
- SHA1
  
  2013c6c44d36797c516eaefcda085494fb5595ac
- SHA256
  
  fa0d8e0c80c4d5be75d4ff442d6a85ea4750bffb3526d4d2d3b2e03f3ccfb28e
- SHA512
  
  f9d4ad9c5959680cae1b648f970fc9c7dff71731d825bf5522d658ac02ea62764dbe149b4f5360daf0200f3bd7c09885dc3de32ef6c5cdc112b82f491ff5a839
- SSDEEP
  
  49152:yvlt62XlaSFNWPjljiFa2RoUYIm5RJ6sbR3LoGdD1sTHHB72eh2NT:yvX62XlaSFNWPjljiFXRoUYIm5RJ62
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral30
- Target
  
  fa8e531e0860851ba2d1fb27a07f1879162d4f9bee94df2b818bae9d7834a884.exe
- Size
  
  1.9MB
- MD5
  
  61d8d796a3ad816357cb444faa6e393b
- SHA1
  
  ce40cb81364e079c7b9e11b16d61c94419b43610
- SHA256
  
  fa8e531e0860851ba2d1fb27a07f1879162d4f9bee94df2b818bae9d7834a884
- SHA512
  
  4c5de9f0c8cc9e8aec193955378b823bae3406b07cf6820e9fbff2f478d2550affeeaaf96a1edeb8f17045ec1912d23965ad4085620d7fe58e2be0ca27e86db2
- SSDEEP
  
  24576:wD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6p:wF+QrFUBgq25eKu6p
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral31
- Target
  
  fa942bbb984e2be3a2e1d8414cc00cd7.exe
- Size
  
  984KB
- MD5
  
  fa942bbb984e2be3a2e1d8414cc00cd7
- SHA1
  
  822821106f149cbc674cccf5d8cc1aec612bb8f4
- SHA256
  
  07419cc322e8ed4baae30a8ba72afc56634175dd54b57c513112e420a9cc69b4
- SHA512
  
  57f062fa5d5fbfa9ebba4ca401e42954b0ed16ec7bc4f28bc6ca00b06e273bbe6dbcab895fc6e460262fcb42cd3a0705a61bb4de2d8a2a08baabb738868af2dc
- SSDEEP
  
  12288:zzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:zzZvuGD2PvA5YxwmbZB6Uv
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral32