asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

Fanta_Is_Better_Than_Coke.bat
Size

773KB
Sample

240702-rmnf4szhjr
MD5

4dec8ae835e5a08a2a49caed42ec3d03
SHA1

d980406271e2404a1bba3aa0db370cca9f37c284
SHA256

8d65586e976036fdd9baff1a531782c4dfc03b18e681f7d28a3b971375c08d51
SHA512

802bf400411973dec2975a0154cea60f0461bd78999a4d1be0b73e786b8a4be803caf0ffc67d0986b98c7bdf8d33ccd6ec16b708a82c3091df61df88706aa224
SSDEEP

24576:WLYRF4zDL03jn4gzvZnOOGZj1rlUMaM2o2oa:WLMrj3ONpOo8

Score

10^/10

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
CjDCAPF1JiLswgFipef3
install_name
$77Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Start-Up Application
subdirectory
$77

Targets

- Target
  
  Fanta_Is_Better_Than_Coke.bat
- Size
  
  773KB
- MD5
  
  4dec8ae835e5a08a2a49caed42ec3d03
- SHA1
  
  d980406271e2404a1bba3aa0db370cca9f37c284
- SHA256
  
  8d65586e976036fdd9baff1a531782c4dfc03b18e681f7d28a3b971375c08d51
- SHA512
  
  802bf400411973dec2975a0154cea60f0461bd78999a4d1be0b73e786b8a4be803caf0ffc67d0986b98c7bdf8d33ccd6ec16b708a82c3091df61df88706aa224
- SSDEEP
  
  24576:WLYRF4zDL03jn4gzvZnOOGZj1rlUMaM2o2oa:WLMrj3ONpOo8
Score

10^/10

execution asyncrat quasar xworm default slave bootkit persistence rat spyware trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2