Resubmissions
16/04/2025, 07:31
250416-jcsdbatm13 1016/04/2025, 07:23
250416-h7whsatmx6 1014/04/2025, 14:48
250414-r6mc6ayqx4 1014/04/2025, 14:47
250414-r5wkfaz1hy 1014/04/2025, 14:45
250414-r4xq4syqv2 1031/01/2025, 20:51
250131-zngnysynhl 1022/01/2025, 17:19
250122-vv8c2awqf1 1022/01/2025, 16:20
250122-ts986swjel 1022/01/2025, 13:44
250122-q2a9nayng1 1022/01/2025, 13:43
250122-q1jjmszmel 10General
-
Target
4363463463464363463463463.zip.zip
-
Size
394KB
-
Sample
250414-r5wkfaz1hy
-
MD5
22872ef7f39c6c03422b358f867e69b7
-
SHA1
263dbd53bf3e6766a11e0a0ce896e708be807aa0
-
SHA256
12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
-
SHA512
d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817
-
SSDEEP
12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
quasar
1.4.0
svhost
151.177.61.79:4782
a148a6d8-1253-4e62-bc5f-c0242dd62e69
-
encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
svhost
Extracted
quasar
1.4.0
Office04
microsoftsys.ddns.net:4782
67e0653d-eedf-4888-88ab-78e97eb2df27
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Extracted
quasar
1.4.1
Nigga
yzs-42879.portmap.host:42879
57d72303-b5e9-46aa-8cc4-9690809c1a9e
-
encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
Temp
Extracted
lumma
https://crib-endanger.sbs/api
https://faintbl0w.sbs/api
https://300snails.sbs/api
https://bored-light.sbs/api
https://3xc1aimbl0w.sbs/api
https://pull-trucker.sbs/api
https://fleez-inc.sbs/api
https://thicktoys.sbs/api
https://c0al1t1onmatch.cyou/api
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
xworm
5.0
127.0.0.1:8080
aVbGJnLt4HRONX59
-
install_file
USB.exe
Extracted
quasar
1.4.1
Java
dez3452-33187.portmap.host:33187
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Extracted
quasar
1.5.0
BruterV3
147.185.221.17:44915
3b364ea6-0ab3-4606-8c9e-e2b51e68c3b8
-
encryption_key
E679E56ABD1A0F53D68F323812B24E67488502F6
-
install_name
Bruter.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows_Host_Process
-
subdirectory
RealtekAudio
Extracted
asyncrat
0.5.7B
Default
1.tcp.ap.ngrok.io:21049
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
chrome.exe
-
install_folder
%AppData%
Extracted
redline
38.180.72.54:42814
Targets
-
-
Target
4363463463464363463463463.exe
-
Size
764KB
-
MD5
85e3d4ac5a6ef32fb93764c090ef32b7
-
SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
-
SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
-
SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
SSDEEP
12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1