asyncrat | 80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21 | Triage

Submit
Reports

Overview

overview

Static

static

3

80c91ecaab...21.exe

windows7-x64

80c91ecaab...21.exe

windows10-2004-x64

Sharing

General

Target

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe
Size

7.7MB
Sample

231231-qkdcpahgem
MD5

41ab78eba18f74db196c3876f49179a8
SHA1

d0b573aafe0ae84468027929ca77f3013e8edeee
SHA256

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
SHA512

d37d91027df02cd3cd9799f183ffb21955933b27abd7810593bc33df18ac321c166d5a378ba9f50a34c907a1f3071b5b8370c6329f3d7ec223a240e8992dc68c
SSDEEP

98304:vXYJ3MN/dOFAjqbqLSRlFNjZUlzCCgOU4dcRTzJ1dX/jC7PYxg5N0arG2sD0+9h0:AJcbvq+SrVXCJUs+TzJLLpILrXs

Score

10^/10

asyncrat xworm persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe

Resource

win7-20231215-en

asyncrat xworm persistence rat trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe

Resource

win10v2004-20231215-en

asyncrat xworm persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%ProgramData%
install_file
SecurityHealthSystray.exe
telegram
https://api.telegram.org/bot5370417334:AAEZrEauqhTNZInhZ9_-SaapQJIi0hIvjJU

Targets

- Target
  
  80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe
- Size
  
  7.7MB
- MD5
  
  41ab78eba18f74db196c3876f49179a8
- SHA1
  
  d0b573aafe0ae84468027929ca77f3013e8edeee
- SHA256
  
  80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
- SHA512
  
  d37d91027df02cd3cd9799f183ffb21955933b27abd7810593bc33df18ac321c166d5a378ba9f50a34c907a1f3071b5b8370c6329f3d7ec223a240e8992dc68c
- SSDEEP
  
  98304:vXYJ3MN/dOFAjqbqLSRlFNjZUlzCCgOU4dcRTzJ1dX/jC7PYxg5N0arG2sD0+9h0:AJcbvq+SrVXCJUs+TzJLLpILrXs
Score

10^/10

asyncrat xworm persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormpersistencerattrojan

behavioral2

asyncratxwormpersistencerattrojan

© 2018-2025

Terms | Privacy