asyncrat | 3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b | Triage

Submit
Reports

Overview

overview

Static

static

1

4Xc1zTf.bat

windows10-2004-x64

Sharing

General

Target

4Xc1zTf.bat
Size

313B
Sample

240702-2l3vhstdja
MD5

83b90daf2dc1611ccacd57f90a9e7dcd
SHA1

bcc229dcfe50608ada43b87105e423f88deb09f3
SHA256

3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
SHA512

1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778

Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

4Xc1zTf.bat

Resource

win10v2004-20240508-en

asyncrat quasar xworm default slave execution persistence rat spyware trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
CjDCAPF1JiLswgFipef3
install_name
$77Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Start-Up Application
subdirectory
$77

Targets

- Target
  
  4Xc1zTf.bat
- Size
  
  313B
- MD5
  
  83b90daf2dc1611ccacd57f90a9e7dcd
- SHA1
  
  bcc229dcfe50608ada43b87105e423f88deb09f3
- SHA256
  
  3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
- SHA512
  
  1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778
Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

© 2018-2024

Terms | Privacy