asyncrat | 4c4667a8d86e4369c1b7e16e38f86292b2ffcbfe506613899291a52f15f0128a | Triage

Submit
Reports

Overview

overview

Static

static

1

svchost.bat

windows10-2004-x64

Sharing

General

Target

svchost.bat
Size

607KB
Sample

240702-p9jekaxeln
MD5

cdd288e92953495d53b0b28b30d135a6
SHA1

a7bd0567125f27171f60322bdc29c1bb8b8fcd25
SHA256

4c4667a8d86e4369c1b7e16e38f86292b2ffcbfe506613899291a52f15f0128a
SHA512

2ed4a854ddc83d6d32ce7948740e0474b3794d054c325d1b71af7cf17c54460b200a2a9126b02001eba8f1e5bb105ac8e01c3ca1c91da093e4422fa53dfbf173
SSDEEP

12288:Ph2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Pujsxb4B0KAxnww7y7+v

Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

svchost.bat

Resource

win10v2004-20240611-en

asyncrat quasar xworm default slave execution persistence rat spyware trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
WyBm1iVkHZmEnGPMAZWV
install_name
$phantom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$phantomSTARTUP~MSF
subdirectory
$phantom

Targets

- Target
  
  svchost.bat
- Size
  
  607KB
- MD5
  
  cdd288e92953495d53b0b28b30d135a6
- SHA1
  
  a7bd0567125f27171f60322bdc29c1bb8b8fcd25
- SHA256
  
  4c4667a8d86e4369c1b7e16e38f86292b2ffcbfe506613899291a52f15f0128a
- SHA512
  
  2ed4a854ddc83d6d32ce7948740e0474b3794d054c325d1b71af7cf17c54460b200a2a9126b02001eba8f1e5bb105ac8e01c3ca1c91da093e4422fa53dfbf173
- SSDEEP
  
  12288:Ph2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Pujsxb4B0KAxnww7y7+v
Score

10^/10

asyncrat quasar xworm default slave execution persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

© 2018-2024

Terms | Privacy