asyncrat | 9a2bf745baf56c027d7e4d52cc7c41cc7b2748d634677384fc2d9eecdb8f7485

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe
Size

49KB
MD5

9b64d05f82ebaa3e51a79c1beeed2181
SHA1

28b89cd9f181c41586b06f3e3c1f90e2270781ef
SHA256

93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8
SHA512

580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13
SSDEEP

768:xuQSNTvEEaBrWUXQd5mo2qmiVzKSPCiPIxUjbHgX3iRudoy8FEY+YBDZSxDlD:xuQSNT8542xW6x0bAXSox8deDlD

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

37.18.62.18:8060

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
ChromeUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral24/memory/4828-133-0x0000000000C70000-0x0000000000C82000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWormUI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	XWormUI.exe

Executes dropped EXE 1 IoCs

Processes:

ChromeUpdate.exe

pid process

2888 ChromeUpdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2224 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1564 timeout.exe

pid	process
2888	ChromeUpdate.exe

pid	process
2224	schtasks.exe

pid	process
1564	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

XWormUI.exe

pid	process
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe
4828	XWormUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

XWormUI.exeChromeUpdate.exe

description pid process

Token: SeDebugPrivilege 4828 XWormUI.exe
Token: SeDebugPrivilege 2888 ChromeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4828	XWormUI.exe
Token: SeDebugPrivilege	2888	ChromeUpdate.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

XWormUI.execmd.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 968	4828	XWormUI.exe	cmd.exe
PID 4828 wrote to memory of 968	4828	XWormUI.exe	cmd.exe
PID 4828 wrote to memory of 968	4828	XWormUI.exe	cmd.exe
PID 4828 wrote to memory of 4996	4828	XWormUI.exe	cmd.exe
PID 4828 wrote to memory of 4996	4828	XWormUI.exe	cmd.exe
PID 4828 wrote to memory of 4996	4828	XWormUI.exe	cmd.exe
PID 968 wrote to memory of 2224	968	cmd.exe	schtasks.exe
PID 968 wrote to memory of 2224	968	cmd.exe	schtasks.exe
PID 968 wrote to memory of 2224	968	cmd.exe	schtasks.exe
PID 4996 wrote to memory of 1564	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 1564	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 1564	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 2888	4996	cmd.exe	ChromeUpdate.exe
PID 4996 wrote to memory of 2888	4996	cmd.exe	ChromeUpdate.exe
PID 4996 wrote to memory of 2888	4996	cmd.exe	ChromeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ChromeUpdate" /tr '"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"'
3⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1564

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA0AA.tmp.bat
Filesize
156B

MD5
df43e396af7073b8af4af9aee5460687

SHA1
1e07abcf80549e2460ddc1213f09c61d14e5dcf1

SHA256
a7baeb1ba4e5d4a5da6b1d8f4de37d846b7b9e4bfe70f0e19741eeae0e90ba6c

SHA512
ac1eff6517b28dbb4c257ee1c37adba3952f186a7953494a3b35d51c9431710e6cab31a8f320d4f24a394d1f95f729284981e96033f1a86bcca24457faf5863b

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
Filesize
49KB

MD5
9b64d05f82ebaa3e51a79c1beeed2181

SHA1
28b89cd9f181c41586b06f3e3c1f90e2270781ef

SHA256
93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8

SHA512
580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
Filesize
49KB

MD5
9b64d05f82ebaa3e51a79c1beeed2181

SHA1
28b89cd9f181c41586b06f3e3c1f90e2270781ef

SHA256
93c7fd938042af85f3d429c387b04952f4b97832857fbf0156ae82e4f516fcf8

SHA512
580bc63ec3e6993099deae7e103f8565b42cce3288d78186f9dabea3d8e5c2e6816e1b20439fafd5b94ff24cbaa3eba1154cb995692b3674d5c5c63b6c1dfc13

Download Submit
memory/2888-144-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/2888-145-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4828-133-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/4828-134-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4828-135-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download