Overview

overview

10

Static

static

10

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

10

163.5.169....r2.pdf

windows7-x64

1

163.5.169....r2.pdf

windows10-2004-x64

1

163.5.169....r3.hta

windows7-x64

3

163.5.169....r3.hta

windows10-2004-x64

10

163.5.169....r3.pdf

windows7-x64

1

163.5.169....r3.pdf

windows10-2004-x64

1

163.5.169....r4.hta

windows7-x64

3

163.5.169....r4.hta

windows10-2004-x64

10

163.5.169....r4.pdf

windows7-x64

1

163.5.169....r4.pdf

windows10-2004-x64

1

163.5.169....r5.hta

windows7-x64

3

163.5.169....r5.hta

windows10-2004-x64

8

163.5.169....r5.pdf

windows7-x64

1

163.5.169....r5.pdf

windows10-2004-x64

1

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

10

163.5.169....er.hta

windows7-x64

3

163.5.169....er.hta

windows10-2004-x64

8

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

8

163.5.169.28/cmd.exe

windows7-x64

163.5.169.28/cmd.exe

windows10-2004-x64

1

163.5.169.28/cmt.exe

windows7-x64

1

163.5.169.28/cmt.exe

windows10-2004-x64

1

163.5.169.28/fd1.exe

windows7-x64

10

163.5.169.28/fd1.exe

windows10-2004-x64

10

163.5.169....er.hta

windows7-x64

3

163.5.169....er.hta

windows10-2004-x64

8

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    791696c6bca812e4b443238fe3f9d336.bin

  • Size

    3.4MB

  • Sample

    240112-dp1mkaedh6

  • MD5

    791696c6bca812e4b443238fe3f9d336

  • SHA1

    51e1eee80ddc458e38d8a8bace02f27ba49206bd

  • SHA256

    3f04d3267f818beec7a5f29a7780282bdf862a71669230b796b77700a494b55d

  • SHA512

    59ae4f46f85377333da911da93ed22ac28e5ec6b61bbf5b57ad2238290494fbf38b7c16ab994bd1cb69d0d3a48c0cc045dad40b377fc947b8d504bc95326ddfc

  • SSDEEP

    98304:zZo6YOMbyKDMs7Lv0Wu0usBtdfx7HofyhQIM37ME:VobFeKDBvvL9Jy379

Score
10/10
asyncratxwormzgratdefaultlinkpdfpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

5.182.87.154:4449

Mutex

jiqsvporltpvroy

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      163.5.169.28/SCAN-atoletter2.hta

    • Size

      1.1MB

    • MD5

      0e02311efc79d0580a3ae453f00cce83

    • SHA1

      77721025336c37d0df3349badaa71e6610c6d429

    • SHA256

      01e20536cc9847e7411bbb0e4d7381774f0e5e4cc86bfd6fdf0e12229d1d2786

    • SHA512

      312589562ec740619629402876f4c077b56e0f3985686a6747c8c1d277f1bb56b41c21ef4fa1054178105a584692d3f6fc09af76e5edf4c6773826836c4b7bae

    • SSDEEP

      1536:y4pLmOmQ7Mf99jXfqe+Wjyosy3vmr/l1vcmafSIm+lIWFR3QXdpkJJ0sVaVMHfFP:y4pLZmQ7CJXReoz3zH

    Score
    10/10
    asyncratdefaultpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      163.5.169.28/SCAN-atoletter2.pdf

    • Size

      168KB

    • MD5

      94667972ade0e377d8edd7f16730a0db

    • SHA1

      7e097e209bfcef8f11ff319fc5d2953fa436875b

    • SHA256

      3d29d9e8dd685c045d594a530a29c873b9d6c1957e9616675a0087746d592fa9

    • SHA512

      83fbf17fcf72f023f71a68583acdfcd65eeb8702c09f90d10af6e284eb400ce49802a3d26492e6cddc2406aadfdc1f6d14f01c7fc6498b6d2b836f60c81d3d67

    • SSDEEP

      3072:9pAXRLFm5rv1Wqu9r1RRbgz/hdcJ0XWLtSvi6dzRov5dMWv4yqF:+RLF8Bux5grI9c6DTMPyi

    Score
    1/10
    behavioral3behavioral4

    • Target

      163.5.169.28/SCAN-atoletter3.hta

    • Size

      1.1MB

    • MD5

      65a82ba108814502f8de8f9c918c1637

    • SHA1

      81bb281aff6d485787f79558b2433a529af5d53b

    • SHA256

      dceca8e7f6baca5bd3417c0e05a1e9e934a0c72fe36c79fd3aca451ea2168d76

    • SHA512

      477a94c061e96c5b8cdc256e746eb9dbd57339c93bcbd90bb66e2b6d21a7ff9e35b3b0ac7eac7a4c2b308306b06178060c38bce1470f5d94af32d07a97ce2621

    • SSDEEP

      1536:MUQr+podgEt/pvBYwPBONWBImr/l1vcmafSIm+lIWFWY7Cy5h7OIxeZeDG52VP+q:ArooW8vhXBHuV

    Score
    10/10
    asyncratdefaultpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      163.5.169.28/SCAN-atoletter3.pdf

    • Size

      169KB

    • MD5

      bcb62044282191bb5294c1435de71a18

    • SHA1

      69eaa574d9b0118424c7b204724351811aa0c015

    • SHA256

      354993c4965d7445b37c6b256f4c1c5c2086c0b1ec5736b9f179bcd6387a194f

    • SHA512

      d2737e5418b4bf0ec7ad736cb4707516e702667f57da1ead88cd0f012f188b087fca8520bb1fb9881356bc920027b177349905a2150784bbf79d039eb3c0e6ad

    • SSDEEP

      3072:AvVr51Wqu9r1RRVgz/hdcJ0XWLtSsi6dzRov5dMWP4y0LUy:8BuxHgrI9cLDTMPyo3

    Score
    1/10
    behavioral7behavioral8

    • Target

      163.5.169.28/SCAN-atoletter4.hta

    • Size

      1.1MB

    • MD5

      4bde59d84e71c0ff88901e353dbe3eec

    • SHA1

      3000483b2add41716148b8e11fa283f6db6a9cf1

    • SHA256

      992820187d1f871cb816dfb5839c0a71dfde38626d6947b4d912d04cf585454d

    • SHA512

      38a11e2bbba9b26f5651d09f072109cb1b77717c53322a47147e1560016d409c528639be48f2044f038a6b24bad5cf0df200a83ca80c5a27d49fe5b91ecbb0b4

    • SSDEEP

      1536:sSdyqS4pxRNGWLPcX/WhEdbVhtmr/l1vcmafSIm+lIWFXvD+v/j53mD0QMYPhgg9:ldHzpxdPcPWhqxki

    Score
    10/10
    asyncratdefaultpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      163.5.169.28/SCAN-atoletter4.pdf

    • Size

      170KB

    • MD5

      6959cdb24cc37e1a25fcf1b9aed58fcc

    • SHA1

      0659f4eb013280e21a057fa1c3843d4c0043ff90

    • SHA256

      753a2e33fc19c1436650f392c23429728a97f4c941bd5493bc227ab04f6f231d

    • SHA512

      b56f3c8584d30edcad363d1dc283c8b9edc0d13b4eb68755940f5400a6ea050a27677a1b744a0af1e7bf9ea8ff3af75a9991c20c153dbae0e64eafb3a863886d

    • SSDEEP

      3072:ccAr61Wqu9r1RRrgz/hdcJ0XWLtSCi6dzRov5dMWm4yyLUQ:TBuxBgrI9cJDTMEyK9

    Score
    1/10
    behavioral11behavioral12

    • Target

      163.5.169.28/SCAN-atoletter5.hta

    • Size

      1.1MB

    • MD5

      415d6911c9a6e92b5d3f050668592357

    • SHA1

      3f5ddfb1475a25201e443c61e31382100e8ddbae

    • SHA256

      87b6bcaa19c9631310bb28100e1ed2c9f2b982fa5aaef48186da150d8d1c4ac3

    • SHA512

      6b322e26c4724efa648713c665d6eddc4f2191d9f3a7764076ae8fc8d5f13fd2301238e7aade65b49db71b0ecadd9333af42cfa7e98ae54b554a99eafc45a055

    • SSDEEP

      1536:zA8mj3XPCeaTTQT7L/1rTrZwsvCPA68WStimr/l1vcmafSIm+lIWFiWCK4vLwwlY:zA8mrfFITQTH/1rTrZ/CPArtQ

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      163.5.169.28/SCAN-atoletter5.pdf

    • Size

      169KB

    • MD5

      c5de2a211a2580c04d1b5349651d3e4a

    • SHA1

      81a25e710c7dc63b10220dbdf39dc48ff11da5f3

    • SHA256

      57b4117e2cf9ab76ed554c2bbf192b9868b94202ad5aaff05a593cf3d4630f85

    • SHA512

      ad3fead8c0e7820e008bdd9f90b443a20eab0dde9d51a1035e8b40f070d7e381e641a8ae00911bc8c0a4a8e341a9a73e3ee133b78abddbbb442f00ce28efd51d

    • SSDEEP

      3072:NPAr51Wqu9r1RRVgz/hdcJ0XWLtSsi6dzRov5dMWP4y0LUD:UBuxHgrI9cLDTMPyoC

    Score
    1/10
    behavioral15behavioral16

    • Target

      163.5.169.28/ato_letter2.hta

    • Size

      1.1MB

    • MD5

      54ff1471d93aa84c94efd8cbae4c6c78

    • SHA1

      11c7d8cd8e02b27aee846c353c32b114a7daa3bf

    • SHA256

      e1869d3a88c9190cf43014e3cb48562fc220ff7f6d5baed77c7dfa1c84c5d530

    • SHA512

      5eed6c7f0ffc27e96349fa8fc7c959e87ff35561da2b811f2e59c0fa0bd42f53debd4079da4c1df133b8211c38ef48f03b3f8b5471370bcf6ed79d240fdde804

    • SSDEEP

      1536:SwxapK31kELNEZ1fos0mr/l1vcmafSIm+lIWFR9UU5gou0gQixFaVEYkEOvMXu+f:SOapK31RBEDws7g

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      163.5.169.28/atoletter.hta

    • Size

      1.1MB

    • MD5

      47b67f1ef2ff1967fd6eee7f2eee2a79

    • SHA1

      e53cecf356df43405a19daf75ff5dcfd8b44f2ce

    • SHA256

      6c4beabd874f9b38209eb0cc585fc19407edc997ffb0bf0897c34bf4552f5194

    • SHA512

      d9586f412e0a9cecc5909cde9391def8c338ca086ba506366076816f6a4ce8309176e884a133bc11bec731bf1d9bf3b027e42ef6a49b545b000ffee60c6d42b9

    • SSDEEP

      1536:jxr5/6p/OpbQEcQIKdquZcod/zA4l2ZFmr/l1vcmafSIm+lIWFeQnoxLPCQwkcUC:jxV6JsMEcQIQZcod/c4K

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral19behavioral20

    • Target

      163.5.169.28/atoletter2.hta

    • Size

      1.1MB

    • MD5

      3aa22e06354205638a0560dfd95ba73d

    • SHA1

      bd77bf64a070a8f233197e2db3cdef0879cc446d

    • SHA256

      8867f18c416e402fa6c470e2fa207e2ff1809b69a450356bd8a8c854edea4dd5

    • SHA512

      ce75e12481f9840666fc783bed155779d75845e0b81f5679dd5ea801ad359527b389b611ca11eda321fb28d77dc10089ebf073c41aa00e51b921ea0cc1c28b8b

    • SSDEEP

      1536:qb0rlgqoroRgFUnAFzUbVlt9Ci5namr/l1vcmafSIm+lIWFjBoOuqpd2eWSFU4ww:qb0rlmrkgFUnAFgbVLFnG

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      163.5.169.28/cmd.exe

    • Size

      283KB

    • MD5

      8a2122e8162dbef04694b9c3e0b6cdee

    • SHA1

      f1efb0fddc156e4c61c5f78a54700e4e7984d55d

    • SHA256

      b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

    • SHA512

      99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

    • SSDEEP

      6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT

    Score
    1/10
    behavioral23behavioral24

    • Target

      163.5.169.28/cmt.exe

    • Size

      8KB

    • MD5

      dc0d40579447b035d980cf0b8cd7667c

    • SHA1

      c907f983cb27d5caec6c941e0712afcc973487d0

    • SHA256

      36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

    • SHA512

      ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

    • SSDEEP

      96:5g48vbNEbfZlmg9fVFBHDqPkNR0bejUoKKeyDvYKx4YG4qyZQFq+zNt:5ghJufi6tXy20Kj2KeyDQKqYXqMQMY

    Score
    1/10
    behavioral25behavioral26

    • Target

      163.5.169.28/fd1.exe

    • Size

      649KB

    • MD5

      b9a42052c81229de87b90370c7e8ef56

    • SHA1

      8253ef8fe65f68ea7e0cc11bcdc06ec91c8d3290

    • SHA256

      2799308c4b285f662d2954b3d9900951d74ae0cdde04b80ff865221817103f3b

    • SHA512

      0e6a1b3d66c2401f8b8d5f8b2cae7d4912fa73565faf4c21686caa63a0d81eda952d6070edb57e7577c15c896caff3e52a6671713cfaa13ed21bab7accb86755

    • SSDEEP

      12288:tOSF/ZdMP5WlYj6Fs/HI6C96D7cyTZ33a33S333333dkS9Jy9:tLrMPkDFB6+2NkeO

    Score
    10/10
    asyncratdefaultpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      163.5.169.28/letter.hta

    • Size

      1.1MB

    • MD5

      7b2d71fbdd38daada881a1d5ba51bd79

    • SHA1

      4474d227759d362ae773e014aa7ff22541b69755

    • SHA256

      b41307cd7ec0456833713dc7075ada7d8884ca133c775c9ba8cbd464dc0c8f25

    • SHA512

      695d0ff4f9ce2cff8715e4cab13d713969bfc8e8adf563dda785c70be0ada0f7a5ff954eee238386ece74ad6eaf6110be7dc7e5aadaa4fc1bcc49e7bf061fa33

    • SSDEEP

      1536:If45HlQf84PEGMdETRrGXQmr/l1vcmafSIm+lIWFawmozsSQ8sBoCQnX2GgeGZ/F:IfQHlQNPfMdETJMMu

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral29behavioral30

    • Target

      163.5.169.28/letter2.hta

    • Size

      1.1MB

    • MD5

      13c9e9f7f8ce9480b18dbc989eb72944

    • SHA1

      56a3d29e9aa6859d2f3c599d1a28c5d85d0ee713

    • SHA256

      cfe2176b15cb6044459b57401e56b5156a38fc03451d07a9d9b189fcc9fa8f2c

    • SHA512

      7389d08afc30a6174486bd2b71039cac41a685df47cb193d5a8d77c1c38464af96ea4ddb39d84f09b05d6941168cc91eb426702adb9647b9863d699215598867

    • SSDEEP

      1536:ZS1OkP/2puCdfNXfYP9TjJlNXsY6JAfny2mr/l1vcmafSIm+lIWFYoze/1oFv0+2:ZS1OkP/+FXfQ9TjJQYsAfnyB

    Score
    10/10
    xwormzgratrattrojan

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkxwormzgrat
Score
10/10

behavioral1

Score
3/10

behavioral2

asyncratdefaultpersistencerat
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
3/10

behavioral6

asyncratdefaultpersistencerat
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
3/10

behavioral10

asyncratdefaultpersistencerat
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
3/10

behavioral14

Score
8/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
3/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
8/10

behavioral21

Score
3/10

behavioral22

Score
8/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

asyncratdefaultpersistencerat
Score
10/10

behavioral28

asyncratdefaultpersistencerat
Score
10/10

behavioral29

Score
3/10

behavioral30

Score
8/10

behavioral31

Score
3/10

behavioral32

xwormzgratrattrojan
Score
10/10