asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

Phantom.exe
Size

764KB
Sample

240701-wb9bna1cmb
MD5

f9dbf286fc2655045699c429f76d708e
SHA1

49ec367b5e8d4035a389469005f96cf717e18f17
SHA256

f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949
SHA512

cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275
SSDEEP

12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
WyBm1iVkHZmEnGPMAZWV
install_name
$phantom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$phantomSTARTUP~MSF
subdirectory
$phantom

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.205:52809

Mutex

FANTA~69

Attributes

delay
1
install
false
install_file
Update.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Targets

- Target
  
  Phantom.exe
- Size
  
  764KB
- MD5
  
  f9dbf286fc2655045699c429f76d708e
- SHA1
  
  49ec367b5e8d4035a389469005f96cf717e18f17
- SHA256
  
  f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949
- SHA512
  
  cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275
- SSDEEP
  
  12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk
Score

10^/10

asyncrat quasar xworm default slave discovery execution persistence privilege_escalation rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1