asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Sample

250421-v2f75atmz9

Malware Config

Extracted

Family

xworm

assistance-arbitration.gl.at.ply.gg:12152

147.185.221.27:31149

w-bridal.gl.at.ply.gg:48095

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

1.tcp.ap.ngrok.io:21049

ratlordvc.ddns.net:6606

96.248.52.125:8031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

46.8.194.222:4040

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

stealc

Botnet

QQtalk

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

2.tcp.eu.ngrok.io:19695

127.0.0.1:3232

jvjv2044duck33.duckdns.org:8808

Mutex

gonq3XlXWgiz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

they-mailed.gl.at.ply.gg:34942:34942

they-mailed.gl.at.ply.gg:34942

Mutex

OG4zPFx3km5rwbhp

Attributes

Install_directory
%ProgramData%
install_file
Wiindows Defender.exe

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

167.250.49.155:445

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

redline

Botnet

first

212.56.41.77:1912

Extracted

Family

stealc

Botnet

Voov

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

lumma

https://bexarthynature.run/api

https://hardswarehub.today/api

https://gadgethgfub.icu/api

https://hardrwarehaven.run/api

https://techmindzs.live/api

https://codxefusion.top/api

https://bquietswtreams.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

https://zestmodp.top/zeda

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://owlflright.digital/qopy

Extracted

Family

quasar

Version

1.4.1

Botnet

kazeku

kazeku.ddns.net:4782

kazeku.linkpc.net:4782

139.99.66.103:4782

182.253.58.227:4782

0.tcp.ap.ngrok.io:10431

Mutex

7fb11f4b-e530-407c-a46c-8834ab5c4f45

Attributes

encryption_key
2E002E0BA1D95CECCDECD8F8B383C3F7C76A7FD7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
kazeku
subdirectory
kazeku

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-CK7UE3N

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Jp74nsvbhc4i
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

192.168.100.10:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Hubert Pilarczyk

pawela827-35962.portmap.host:35962

Mutex

ca431979-125b-480f-adac-43c48c1e1832

Attributes

encryption_key
39F4E87BBB832270AC54CA5065E707DFB3689A56
install_name
vsjitdebuggerui.exe
log_directory
CEF
reconnect_delay
3000
startup_key
Proces hosta dla zadań systemu Windows
subdirectory
3880

Extracted

Family

azorult

http://195.245.112.115/index.php

Targets

- Target
  
  https://s3.us-east-1.wasabisys.com/vxugmwdb/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Score

10^/10

asyncrat azorult darkcomet lumma metasploit mimikatz njrat quasar redline stealc xworm default first guest16 hacked hubert pilarczyk kazeku main office04 qqtalk solarafake svhost voov backdoor defense_evasion discovery infostealer pyinstaller rat spyware stealer trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- mimikatz is an open source tool to dump credentials on Windows
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Asyncrat family

Azorult

Azorult family

Darkcomet

Darkcomet family

Detect Xworm Payload

Lumma Stealer, LummaC

Lumma family

MetaSploit

Metasploit family

Mimikatz

Mimikatz family

Njrat family

Quasar RAT

Quasar family

Quasar payload

RedLine

RedLine payload

Redline family

Stealc

Stealc family

Xworm

Xworm family

njRAT/Bladabindi

Async RAT payload

mimikatz is an open source tool to dump credentials on Windows

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

AutoIT Executable

UPX packed file

MITRE ATT&CK Enterprise v16

Tasks

static1

urlscan1

behavioral1