Overview

overview

10

Static

static

3

Windows_Up...xe.vbs

windows7-x64

1

Windows_Up...xe.vbs

windows10-2004-x64

1

file.ps1

windows7-x64

1

file.ps1

windows10-2004-x64

1

fresh.exe

windows7-x64

10

fresh.exe

windows10-2004-x64

10

loader.ps1

windows7-x64

1

loader.ps1

windows10-2004-x64

10

payload.ps1

windows7-x64

1

payload.ps1

windows10-2004-x64

10

update.cmd

windows7-x64

1

update.cmd

windows10-2004-x64

10

update.vbs

windows7-x64

8

update.vbs

windows10-2004-x64

10

windows.cmd

windows7-x64

1

windows.cmd

windows10-2004-x64

10

windows.vbs

windows7-x64

3

windows.vbs

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    async.rar

  • Size

    9.0MB

  • Sample

    240316-d6nz4ach39

  • MD5

    d5b1c0b6217a8fbd771cfbbfbdc3de54

  • SHA1

    1d7bf7c1b7c45223e594a01a484a9d6fff7e8ab2

  • SHA256

    f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224

  • SHA512

    864fc486941aece16b7ea2ba960bb396d1bc34a9b1ae33e0fe15f2b659027f39d85035118c8db2c202e809bffac966e3322996c4590d57c7487a93f0a14c8a56

  • SSDEEP

    196608:Zgh+EnedA/Cpz1jVzHUEKGOpg5mAzdwlt/AcV9iz46mlvrISa4oRtqRbnypOh5Mj:Khvedj7VjUvA5rSkzym4csyp3JbZ3Nqk

Score
10/10
asyncratguloaderwshratxwormvenom clientsdownloaderpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

jdokds.duckdns.org:8895

Mutex

fR94ukDUyBXXff7e

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

C2

vbdsg.duckdns.org:8896

Mutex

GgQUWuMVOC7DAikW

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

wshrat

C2

http://wwsh427.duckdns.org:8904

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Windows_Update.exe.bin

    • Size

      4KB

    • MD5

      bd3bbcaee0b7bc7c921c1a03208ca06c

    • SHA1

      370e09b4d3d49ae5fe823a6d8564d4c7cae7739f

    • SHA256

      2efc5656cad13311546d579015767a93ec278fae32c6627a0600db6e526eef1a

    • SHA512

      6ea1f4acaeaa61d9dec38a57f7b9073b0cc758f948b0e2cd9f4a32cfa387f056de18b46c1350d02435d95d199326a3f88eab8c32e6bd4ad4274389d2342b3169

    • SSDEEP

      48:41qylQEQFz2kx43rox2XAcrlxX9Nr4exUo0u4UxyiUG4RHgyfxXvSxUs3xyCgxRa:4Fv9pm5p/RHFzy5c7N9s

    Score
    1/10
    behavioral1behavioral2

    • Target

      file.ps1

    • Size

      14.0MB

    • MD5

      be7dbf0172202adcaee8489de2889694

    • SHA1

      b496d5f31f7c209626f67113474152a831db934b

    • SHA256

      7d9595ade2d2e457e347da1985f5888513e1bfb6088b00157007d4eb1283775c

    • SHA512

      ddf33dbd637206531e83bf61db26064cda83075980d92c30257b3f317dd867a6f8a9a6cd113b5b88b25f55fdff3f2a28516bef8f7cb4d8e6bc22e94592e96b7a

    • SSDEEP

      24576:rOioT5KFJkwSBX8iKSon6Tm17dUubLf5dy3Y3J3NVr+Jm0ntoVU0v+WMWKWoGfaB:3qd+GXFcf7c5XHCjTTp+Ud9H9NH

    Score
    1/10
    behavioral3behavioral4

    • Target

      fresh.exe

    • Size

      345.0MB

    • MD5

      33f67337db523a8a1610dc39702e6a9e

    • SHA1

      67783aaeb5499cd450094c5f1d20c15a4017e903

    • SHA256

      9f0c26a9ee59081531ac9c4d5cca894cf9933e4fdbb6cc9cb9db4a614c79bb91

    • SHA512

      da148c37f5631dc94ef545cdccf95f7c8aa59cd5d49666982333082c05ebf9a1cc27c4f64dd117408fe1b49a65a588fdc034ffa8cba187f461cc372c5c8e0602

    • SSDEEP

      1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH

    Score
    10/10
    wshratxwormpersistencerattrojan

    • Detect Xworm Payload

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      loader.ps1

    • Size

      14.0MB

    • MD5

      fe51ec3ec4510262ca50af133b5cef93

    • SHA1

      aba6d26dcfb1fa6c991b2486fc7cda8165b61551

    • SHA256

      1877e4bab37f755a1c74d6e03319da7b42b07a45be4da1205609d4e47aa16e7c

    • SHA512

      149ee9151f9d94c4fa9308de3b81b3f0a13fa2991c1bbf74e48b85f695d2ef3ef7ba1f39f91ef2619c40f6d0a0dc8f25d5452c538084e26d6301ec9273d15b96

    • SSDEEP

      49152:5v8ClP0QiEwg/C5r6iNlqaZg21NY/TQX5I:

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat
    behavioral7behavioral8

    • Target

      payload.ps1

    • Size

      14.0MB

    • MD5

      aa2fcbb3e1b8c195777d2a9c5af28af1

    • SHA1

      057f1e81fa914277ecd8d0eea7e569e399b15c6a

    • SHA256

      52105d8dcacb31d69a4a64d1a24ccd82662f314b7917d7daf05fe4eafe7723e4

    • SHA512

      a6e5f81abdb6ef691d7d36651b8c1e4a357e7dc8cca3650c8fbbb7024094194cfb1844aae5d6e147bafc7d918277e56dcdd14cf8b1e185f4c4ada4fe5388084a

    • SSDEEP

      24576:r2lhbBXrpmxiycVY6wBrBZTtgf3DqmTx1eSX2e+h8BC2mstEM92DF/iHCeoiz+6l:ejT0H4LvIpkM4aG2bZ

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      update.cmd

    • Size

      5KB

    • MD5

      18cd0ca1ca49fbb1f87857bdd82057f2

    • SHA1

      925a0f183e623acbd6edd29cfa355bab1da1ad57

    • SHA256

      cadf38d790d8fb66778274645df233a375a764a10058e68e585195211da00c32

    • SHA512

      41993d6911e8595e3a5e2bb68ca68ad0ed351d889cd98112c2d7d232198e7ce2ed376ef64cb0bdfa1a08363b882108c04324f482e1d3df33ef71517d7df51f2d

    • SSDEEP

      96:/zJl/WkutluEbuEI2JjLVg1mvR9N5tMzPfIJ3lZjMQ1utJpMFbg2MYhbUQiVP89o:rO1Y8C4R9NTMr69uKhQYu8La

    Score
    10/10
    guloaderwshratxwormdownloaderrattrojan

    • Detect Xworm Payload

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      update.vbs

    • Size

      35KB

    • MD5

      dae93d3eddca85b787392d52c5a6fc75

    • SHA1

      0910dde04380ab5a7331476b27a33789aac76524

    • SHA256

      96f6c7e573af91ae336eddf40d48ded90ff4df69e510791b715f6941fd795b8b

    • SHA512

      3d6a4e360710247a9c9a16bbc450984341426eff7b51f433ce640f4be32ef893eaf093316124b675e73a2840523314c0f7e7aed8725867e3b1d80f54c73d4aa0

    • SSDEEP

      192:96EQ6mlKX/DZp2ZSh0RuzX+yvpKkKWKQ5DcYUvhAqkw4KBK428rKp9KZKySB3Kj7:24/XrvkBD0kJdc4fWpw0fB4

    Score
    10/10
    persistencexwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      windows.cmd

    • Size

      66KB

    • MD5

      3a56f31eda19041d7ea9aeab089847eb

    • SHA1

      1ca9985ab27390bdd710c5f6d09af344b69ed56b

    • SHA256

      562cc7b2b867668ff252095a3bb3dc0641428fddd6ea23cfca475541fc10cbf9

    • SHA512

      1c633d473ed3ac06acfb06f012e5c7e0dc8402b8bba9680a4b97fe5282a5f8614331b2bed6132fa4d583f67022aa5ef0a7b96774cda94861c396be2250d149ca

    • SSDEEP

      1536:gElMViXyqGaO24iKbBG6IV3VvhRvRt/rCwIK4GfFjR:gn71aO24FdG6INVvhRptTCSNFjR

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    behavioral15behavioral16

    • Target

      windows.vbs

    • Size

      7KB

    • MD5

      69702b8327399b8d3760db7e510e622e

    • SHA1

      55c83e0de9bcd2ccc8b11385f16b6d24342a6089

    • SHA256

      4013aa47bf4a230774f2ee75c75820f36d0b5acc737458fe8574420a0828b10f

    • SHA512

      58825fe255aa671611967cb3af9f12e3eae2700307b8dc254510445e182b898bac2aa190b7146a3a44ad8b82ccd54b93e0ca2d79d0cc1079e3f1ab604eb81cb6

    • SSDEEP

      192:ODRgXEa7LYGh+9aQPaEXvJe6MSKKWiOWWfpWqm:gRgXEN5vyEXvJebJlm

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks