asyncrat | ee7d4244e534803ab573e663323b3f83dd9924955a13d7b8696692ad93d7216b | Triage

Submit
Reports

Overview

overview

Static

static

3

cb22cebed9...26.exe

windows7-x64

cb22cebed9...26.exe

windows10-2004-x64

Sharing

General

Target

457143901d9ca2f0bc836c1dd1faefe3.bin
Size

733KB
Sample

240630-cc2tesvhrr
MD5

840f009d320d2d16bba0c66f2d0e831a
SHA1

20109e16cca047d7829f21ce907979fbee6ee13a
SHA256

ee7d4244e534803ab573e663323b3f83dd9924955a13d7b8696692ad93d7216b
SHA512

7e62ed08fe4c70546fdad8239539b861b374b651083308a669ea3995fd2256266b1c3b550658acba9ce142c76cbe056dcee803947ae5cfa911b40142e7a84793
SSDEEP

12288:oNz3nEk+buOTeLAGj5wR6ztUSAo0GeOs/MiaQQYWtCszQz2YMrlMnMy34DrrRxYK:g3nl+6O7uBg/gQb4CCQz2/uMe4DZNcK

Score

10^/10

asyncrat quasar xworm default slave execution rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe

Resource

win7-20240508-en

asyncrat quasar xworm default slave execution rat spyware trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe

Resource

win10v2004-20240226-en

asyncrat quasar xworm default slave execution rat spyware trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

head-experimental.gl.at.ply.gg:46178

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
- Size
  
  748KB
- MD5
  
  457143901d9ca2f0bc836c1dd1faefe3
- SHA1
  
  11e554dcfca0dd51c5bfe92d35b9c13b21b81691
- SHA256
  
  cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
- SHA512
  
  0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
- SSDEEP
  
  12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
Score

10^/10

asyncrat quasar xworm default slave execution rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

behavioral2

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

© 2018-2024

Terms | Privacy