Overview

overview

10

Static

static

3

Comprobant...a..exe

windows7-x64

8

Comprobant...a..exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Comprobante De Transacción No. [4148748414571lI8CJ].R01

  • Size

    170KB

  • Sample

    230518-jdjgssha6y

  • MD5

    ff9025379b2d1481201fa0ff0367d22d

  • SHA1

    6a07ead7a1cb5e2fe57c3fd67c70998124538b0e

  • SHA256

    d84563e03b6f68892d1a9bf1a1c1fd6d9fd6a390155afe4e46ce5d3d198a64b2

  • SHA512

    307ed8e2909e68ee0eeee5e0edafd4948c216d4f6531039a23b875220e49fd3149f636ed63f71cdad77203c29f8ccd707ae693e3dc13cd7b1245520df8f2b870

  • SSDEEP

    3072:LRVUXZEv9F1TzgOCkDWUBR1UYKKuSQi0oNcSyJ4MA/UfacTaDDsvPvVoH:LRVaqHnbDvRUG9D0oNclJVnflAGw

Score
10/10
asyncratxwormdefaultrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1yzIedgOlbPjUc006zFjrkRkJWDbchF0u

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

zerocool888.duckdns.org:8848

zerocool888.duckdns.org:8898
Mutex

DcRatMutex_imlegion

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

nov231122.con-ip.com:7577

Mutex

CVFVIVecoFLcHeYc

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1asadt-_J4plFQAm45thWvxf-CIwZovLN

Targets

    • Target

      Comprobante De La transacción No. [4148748414571lI8CJ] realizada el día Miércoles 17 de mayo del 2023 ha sido exitosa..exe

    • Size

      481KB

    • MD5

      eda3cee701fa882bd737df5e0ac4e558

    • SHA1

      6c21aaaf9902a39e3e18236a32331593d15f96b5

    • SHA256

      adc7909c67b4a85f430bd526a93228512bcd61340b4a06540071469ddc3b1d2c

    • SHA512

      af61ebd8ef89900b5518fd06dc2d2c42b6ddbaa590fa11cd33f1ba67b62f07808bcec67f74285e0f49dfe4fc06ba3ab04b88bf875e5d97035d48c416db67072d

    • SSDEEP

      6144:VaoDpZkndJsStA+tgRFsTpb9GX/F0mZNFEtQkODi3RURDVCLwvGUvpohAZ:VH1CoStpt+sTd94t0m4QZD00DVCsuQo

    Score
    10/10
    asyncratxwormdefaultrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks