asyncrat | 9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485 | Triage

Sharing

General

Target

XWorm-Rat-Remote-Administration-Tool--main.zip
Size

5.0MB
Sample

230419-r421tsda51
MD5

9b3b306a4a17ad6eff92e9d97e46a65e
SHA1

521447c757afd5cdbec84444bb247f9d411a2f2f
SHA256

9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485
SHA512

866b98395c6591635b1718307e3cc7a97ef620ec608a2260d28535371492f2f4c95362a46c29c4e08d69542338c4060f24a7c121b2a1e90d6d6c5ed70038781f
SSDEEP

98304:OjQOrfOehjeCSFFEYhqox9mv7Ys7q2f24IRUeIV1iwLZnnpha7Kmlf3:OjvKCSFFEYjbA77q2+pS5nLbEx

Score

10^/10

asyncrat default agilenet rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

37.18.62.18:8060

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
ChromeUpdate.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  XWorm-Rat-Remote-Administration-Tool--main.zip
- Size
  
  5.0MB
- MD5
  
  9b3b306a4a17ad6eff92e9d97e46a65e
- SHA1
  
  521447c757afd5cdbec84444bb247f9d411a2f2f
- SHA256
  
  9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485
- SHA512
  
  866b98395c6591635b1718307e3cc7a97ef620ec608a2260d28535371492f2f4c95362a46c29c4e08d69542338c4060f24a7c121b2a1e90d6d6c5ed70038781f
- SSDEEP
  
  98304:OjQOrfOehjeCSFFEYhqox9mv7Ys7q2f24IRUeIV1iwLZnnpha7Kmlf3:OjvKCSFFEYjbA77q2+pS5nLbEx
Score

1^/10
behavioral1 behavioral2
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe
- Size
  
  12KB
- MD5
  
  f922206889c896cf2d86f21e9f9db7db
- SHA1
  
  046b00f2edb34982db266d903627ced283f4a5ea
- SHA256
  
  1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3
- SHA512
  
  abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965
- SSDEEP
  
  192:wLwX9CLPN0LjrJUMmYVY2aq3xWrhSaadrq8uSF3u:owNCLPN0/9UMme313UrhSJUSF
Score

3^/10
behavioral3 behavioral4
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll
- Size
  
  333KB
- MD5
  
  b746707265772b362c0ba18d8d630061
- SHA1
  
  4b185e5f68c00bef441adb737d0955646d4e569a
- SHA256
  
  3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519
- SHA512
  
  fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8
- SSDEEP
  
  6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n
Score

1^/10
behavioral5 behavioral6
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat
- Size
  
  122B
- MD5
  
  2dabc46ce85aaff29f22cd74ec074f86
- SHA1
  
  208ae3e48d67b94cc8be7bbfd9341d373fa8a730
- SHA256
  
  a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
- SHA512
  
  6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
Score

1^/10
behavioral7 behavioral8
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/GeoIP.dat
- Size
  
  1.0MB
- MD5
  
  c8db63170e85b35ce51b5d1aef098708
- SHA1
  
  bd8489cc9017bfe308d748b1d62db1f154990acc
- SHA256
  
  6c15c5f8e3faec8adf4321fd8f9d62f3f4dd645dafd0f9f6c52b118001654d36
- SHA512
  
  4392ec79c297da34b1500799bd07eebbf1ca88b5d1efe80d9cf02d4cd9562ae617854d228876451aa53c5256f9a47b530f481da4cedb4d748b319d69a14e3a7b
- SSDEEP
  
  24576:fGATlAgl5jSz0XunQYrkuDlffwc2uyWMI:e4FlpeaunQKkuhZ
Score

3^/10
behavioral10 behavioral9
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  d65fd6dbbd3c9ac74139aeaedc4a5816
- SHA1
  
  407ae10ccc8e19798bf75cb90b2150cb63a9db66
- SHA256
  
  84199a22c8669a39800272c3da0d969ec4e8d77d67b9d324ca049953a5042c71
- SHA512
  
  b8a99e88d49a6f9ff89339fa5acc9df8b59665d2ec22ccb4741e501bba6b280b00336906a637d8f071f86a4dcd68ca4ac86683e651466f084cb96d0e3152eddf
- SSDEEP
  
  49152:ClU6fD73waJnBA5lV8jldVmIgA5iKOvhn:ClU6vznglEldVmIJi/vt
Score

1^/10
behavioral11 behavioral12
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll
- Size
  
  502KB
- MD5
  
  3b87d1363a45ce9368e9baec32c69466
- SHA1
  
  70a9f4df01d17060ec17df9528fca7026cc42935
- SHA256
  
  81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
- SHA512
  
  1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7
- SSDEEP
  
  6144:96/i10SZtfzWctj98vZcE0wmLlaIZs5eku2sX2hrjAzvgmXa6W9FwsT9idwktQZG:9yrSKMJR9aGs55T1X9Fwspi2tGpmS
Score

1^/10
behavioral13 behavioral14
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/README.md
- Size
  
  1KB
- MD5
  
  41c22fcb0efabfa87cbbffecbc937751
- SHA1
  
  95d4333b21e76a8c9e9da8a03aecea63dbbd9d01
- SHA256
  
  3bab4c7a92515f24f23cdec831c628cd842887e2cc702e9eed3ef1a4c8c74f67
- SHA512
  
  9ce138db160649ca4e9a0881c7859ff63a9761695fe48e5195f79b5ceb8f2102947019304a2de972813c76c74fb2fb4bbda1c5e99860463c708057bcf820cef8
Score

3^/10
behavioral15 behavioral16
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/Uploader.php
- Size
  
  747B
- MD5
  
  8da24c5cbbfb87879d150dc438ca3c4c
- SHA1
  
  b572a99b3cdc5332a927629406bf999150d034ce
- SHA256
  
  6e69ff9be3bade50f81e40f518a8c8ca83e45c8016cae41404068e924f3cd7a3
- SHA512
  
  8ad1ce583a40232131d2ed4c40437630639cabe845252b52bfd83e0beca8c8f022d193a9f9f895ec802c424c492cb18a3c5800d87af53fee53ff1a5fc6d99887
Score

3^/10
behavioral17 behavioral18
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe
- Size
  
  1.9MB
- MD5
  
  4904329d091687c9deb08d9bd7282e77
- SHA1
  
  bcf7fcebb52cad605cb4de65bdd077e600475cc7
- SHA256
  
  e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd
- SHA512
  
  b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb
- SSDEEP
  
  24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr
Score

7^/10

agilenet
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral19 behavioral20
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe
- Size
  
  3.2MB
- MD5
  
  339b7f92641c0f5161731fc681aaeb3a
- SHA1
  
  21d2d89e9ade90df638f33d314ac68e30f6aa52e
- SHA256
  
  b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c
- SHA512
  
  58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134
- SSDEEP
  
  24576:o08GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35/5Mb6:4/TjrHWKWDOQko29ueJsq8z
Score

3^/10
behavioral21 behavioral22
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
- Size
  
  49KB
- MD5
  
  9b64d05f82ebaa3e51a79c1beeed2181
- SHA1
  
  28b89cd9f181c41586b06f3e3c1f90e2270781ef
- SHA256
  
  93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
- SHA512
  
  580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
- SSDEEP
  
  768:xuQSNTvEEaBrWUXQd5mo2qmiVzKSPCiPIxUjbHgX3iRudoy8FEY+YBDZSxDlD:xuQSNT8542xW6x0bAXSox8deDlD
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral23 behavioral24
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  9ed69fbbfdec5d95ea229da3969dd77b
- SHA1
  
  7972339f0a1b6a28a2f335c84cdfc5d9beee72b6
- SHA256
  
  e8bc7a627149386cb3cf714ae0101f69440f72cf2e7468a677b727b32aaed755
- SHA512
  
  61bfaa00736487ed736a27c1a9e45ce14b578452471866d195ce1a4736e72bd4bec98938b8cbb83ffbf09cbf188e9b8760452cc95ee30565414882aadd0171a6
- SSDEEP
  
  24576:+9itfCdSZYeP0jsLpPl44znxuhv7fBTu1Z:W5QF6
Score

1^/10
behavioral25 behavioral26
- Target
  
  XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
- Size
  
  12KB
- MD5
  
  6967b97ce4ff4524883a196a97736275
- SHA1
  
  6fdf2b9adc16b40a06bacc7db0abee917ef4abd3
- SHA256
  
  e2bddf56324addac02678a7fd8d9c3da24ad55132883ad826a1a60eaf4e4a034
- SHA512
  
  c71525d49e36975cb43535cff5176409163b14f53b644e3d161fd56f7514f0affbda051541a07d9af4cdc45a564dfad20a23584701499a0f03e531219c9f72be
- SSDEEP
  
  192:zLlo6IXsbK9CLPN0LWyJUMmYVY2QQq33WrmRaadrq8uSF3:PljIeyCLPN0CUUMme3o3mrmRJUSF
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral27 behavioral28

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

agilenetratdefaultasyncrat

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

asyncratdefaultrat

behavioral24

asyncratdefaultrat

behavioral25

behavioral26

behavioral27

behavioral28

asyncratdefaultrat