asyncrat | 31890493973af1dbe3ecd33a59536cc24fa753ccb603372e17a05eafa5378746 | Triage

Sharing

General

Target

D3STR0YCOMPUT3RS.bat
Size

26KB
Sample

231216-fdkhbaadgp
MD5

18aa3a29ea6572754fbf785a2eb03ed6
SHA1

69ee89c62e3fce0ae58e5803e283b511b41e8d81
SHA256

31890493973af1dbe3ecd33a59536cc24fa753ccb603372e17a05eafa5378746
SHA512

f2d1cf6512807e7868a48ea0c94eda7c6e75c8f5bad03e2a3313c39c83230b5116a78c803979ad051539c4dbcbf9aaf5c430f3d2259eca714d63e626ab4414a9
SSDEEP

384:89OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9Oh:3

Score

10^/10

asyncrat toxiceye xworm def discovery evasion execution macos rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

C2

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes

delay
1
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%Port%

aes.plain

Targets

- Target
  
  D3STR0YCOMPUT3RS.bat
- Size
  
  26KB
- MD5
  
  18aa3a29ea6572754fbf785a2eb03ed6
- SHA1
  
  69ee89c62e3fce0ae58e5803e283b511b41e8d81
- SHA256
  
  31890493973af1dbe3ecd33a59536cc24fa753ccb603372e17a05eafa5378746
- SHA512
  
  f2d1cf6512807e7868a48ea0c94eda7c6e75c8f5bad03e2a3313c39c83230b5116a78c803979ad051539c4dbcbf9aaf5c430f3d2259eca714d63e626ab4414a9
- SSDEEP
  
  384:89OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9OhQ9Oh:3
Score

10^/10

asyncrat toxiceye xworm def rat trojan discovery evasion execution
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- ToxicEye
  ToxicEye is a trojan written in C#.
  rat trojan toxiceye
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Drops startup file
- Executes dropped EXE
- Queries the macOS version information.
  discovery
- file permission
  evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Unix Shell

Scheduled Task/Job

System Services

Launchctl

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Credential Access

Discovery

File and Directory Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncrattoxiceyexwormdefrattrojan

behavioral2

discoveryevasionexecution