asyncrat | 91a8aec23ab8e79172c8d7cbf6a733e73157941687eb58e8ffa543b7e721b7ea | Triage

Submit
Reports

Overview

overview

Static

static

7

XWorm V3.1 .exe

windows7-x64

XWorm V3.1 .exe

windows10-2004-x64

Sharing

General

Target

XWorm V3.1 .exe
Size

10.1MB
Sample

230314-1v2hdaaa77
MD5

320526ae9b5dbd99a38d158578c84ccb
SHA1

60daf13da5fa663c1e7e67ac113fbb5859264b8c
SHA256

91a8aec23ab8e79172c8d7cbf6a733e73157941687eb58e8ffa543b7e721b7ea
SHA512

5c62082634d4abc4bc524b268c5bcf476f6a900cba8becc49e143c8b207f0f661e921a26a62df746236f65a9978b7691e541283835056c9c5a6efac0a382cf0f
SSDEEP

196608:ih0Avmh7fFbZyD3nvCEg+xyZTEQkM1V8/6zCSR6lGCUOGJ1PldRBo+zoDmAYU:iq1pbqdg+yZTUaCkZXOqdbS

Score

10^/10

asyncrat xworm evasion rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

XWorm V3.1 .exe

Resource

win7-20230220-en

asyncrat xworm evasion rat themida trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

XWorm V3.1 .exe

Resource

win10v2004-20230221-en

asyncrat evasion rat themida trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Mutex

AsyncMutex_7SI8OkPnk

Attributes

delay
3
install
true
install_file
ContainerRuntime.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/Kb8rTgY7

aes.plain

Targets

- Target
  
  XWorm V3.1 .exe
- Size
  
  10.1MB
- MD5
  
  320526ae9b5dbd99a38d158578c84ccb
- SHA1
  
  60daf13da5fa663c1e7e67ac113fbb5859264b8c
- SHA256
  
  91a8aec23ab8e79172c8d7cbf6a733e73157941687eb58e8ffa543b7e721b7ea
- SHA512
  
  5c62082634d4abc4bc524b268c5bcf476f6a900cba8becc49e143c8b207f0f661e921a26a62df746236f65a9978b7691e541283835056c9c5a6efac0a382cf0f
- SSDEEP
  
  196608:ih0Avmh7fFbZyD3nvCEg+xyZTEQkM1V8/6zCSR6lGCUOGJ1PldRBo+zoDmAYU:iq1pbqdg+yZTUaCkZXOqdbS
Score

10^/10

asyncrat xworm evasion rat themida trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

asyncratxwormevasionratthemidatrojan

behavioral2

asyncratevasionratthemidatrojan

© 2018-2024

Terms | Privacy