asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

async.rar
Size

9.0MB
Sample

240316-d6nz4ach39
MD5

d5b1c0b6217a8fbd771cfbbfbdc3de54
SHA1

1d7bf7c1b7c45223e594a01a484a9d6fff7e8ab2
SHA256

f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224
SHA512

864fc486941aece16b7ea2ba960bb396d1bc34a9b1ae33e0fe15f2b659027f39d85035118c8db2c202e809bffac966e3322996c4590d57c7487a93f0a14c8a56
SSDEEP

196608:Zgh+EnedA/Cpz1jVzHUEKGOpg5mAzdwlt/AcV9iz46mlvrISa4oRtqRbnypOh5Mj:Khvedj7VjUvA5rSkzym4csyp3JbZ3Nqk

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

3.1

jdokds.duckdns.org:8895

Mutex

fR94ukDUyBXXff7e

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

vbdsg.duckdns.org:8896

Mutex

GgQUWuMVOC7DAikW

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

wshrat

http://wwsh427.duckdns.org:8904

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Windows_Update.exe.bin
- Size
  
  4KB
- MD5
  
  bd3bbcaee0b7bc7c921c1a03208ca06c
- SHA1
  
  370e09b4d3d49ae5fe823a6d8564d4c7cae7739f
- SHA256
  
  2efc5656cad13311546d579015767a93ec278fae32c6627a0600db6e526eef1a
- SHA512
  
  6ea1f4acaeaa61d9dec38a57f7b9073b0cc758f948b0e2cd9f4a32cfa387f056de18b46c1350d02435d95d199326a3f88eab8c32e6bd4ad4274389d2342b3169
- SSDEEP
  
  48:41qylQEQFz2kx43rox2XAcrlxX9Nr4exUo0u4UxyiUG4RHgyfxXvSxUs3xyCgxRa:4Fv9pm5p/RHFzy5c7N9s
Score

1^/10
behavioral1 behavioral2
- Target
  
  file.ps1
- Size
  
  14.0MB
- MD5
  
  be7dbf0172202adcaee8489de2889694
- SHA1
  
  b496d5f31f7c209626f67113474152a831db934b
- SHA256
  
  7d9595ade2d2e457e347da1985f5888513e1bfb6088b00157007d4eb1283775c
- SHA512
  
  ddf33dbd637206531e83bf61db26064cda83075980d92c30257b3f317dd867a6f8a9a6cd113b5b88b25f55fdff3f2a28516bef8f7cb4d8e6bc22e94592e96b7a
- SSDEEP
  
  24576:rOioT5KFJkwSBX8iKSon6Tm17dUubLf5dy3Y3J3NVr+Jm0ntoVU0v+WMWKWoGfaB:3qd+GXFcf7c5XHCjTTp+Ud9H9NH
Score

1^/10
behavioral3 behavioral4
- Target
  
  fresh.exe
- Size
  
  345.0MB
- MD5
  
  33f67337db523a8a1610dc39702e6a9e
- SHA1
  
  67783aaeb5499cd450094c5f1d20c15a4017e903
- SHA256
  
  9f0c26a9ee59081531ac9c4d5cca894cf9933e4fdbb6cc9cb9db4a614c79bb91
- SHA512
  
  da148c37f5631dc94ef545cdccf95f7c8aa59cd5d49666982333082c05ebf9a1cc27c4f64dd117408fe1b49a65a588fdc034ffa8cba187f461cc372c5c8e0602
- SSDEEP
  
  1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH
Score

10^/10

wshrat xworm persistence rat trojan
- Detect Xworm Payload
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  loader.ps1
- Size
  
  14.0MB
- MD5
  
  fe51ec3ec4510262ca50af133b5cef93
- SHA1
  
  aba6d26dcfb1fa6c991b2486fc7cda8165b61551
- SHA256
  
  1877e4bab37f755a1c74d6e03319da7b42b07a45be4da1205609d4e47aa16e7c
- SHA512
  
  149ee9151f9d94c4fa9308de3b81b3f0a13fa2991c1bbf74e48b85f695d2ef3ef7ba1f39f91ef2619c40f6d0a0dc8f25d5452c538084e26d6301ec9273d15b96
- SSDEEP
  
  49152:5v8ClP0QiEwg/C5r6iNlqaZg21NY/TQX5I:
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
behavioral7 behavioral8
- Target
  
  payload.ps1
- Size
  
  14.0MB
- MD5
  
  aa2fcbb3e1b8c195777d2a9c5af28af1
- SHA1
  
  057f1e81fa914277ecd8d0eea7e569e399b15c6a
- SHA256
  
  52105d8dcacb31d69a4a64d1a24ccd82662f314b7917d7daf05fe4eafe7723e4
- SHA512
  
  a6e5f81abdb6ef691d7d36651b8c1e4a357e7dc8cca3650c8fbbb7024094194cfb1844aae5d6e147bafc7d918277e56dcdd14cf8b1e185f4c4ada4fe5388084a
- SSDEEP
  
  24576:r2lhbBXrpmxiycVY6wBrBZTtgf3DqmTx1eSX2e+h8BC2mstEM92DF/iHCeoiz+6l:ejT0H4LvIpkM4aG2bZ
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  update.cmd
- Size
  
  5KB
- MD5
  
  18cd0ca1ca49fbb1f87857bdd82057f2
- SHA1
  
  925a0f183e623acbd6edd29cfa355bab1da1ad57
- SHA256
  
  cadf38d790d8fb66778274645df233a375a764a10058e68e585195211da00c32
- SHA512
  
  41993d6911e8595e3a5e2bb68ca68ad0ed351d889cd98112c2d7d232198e7ce2ed376ef64cb0bdfa1a08363b882108c04324f482e1d3df33ef71517d7df51f2d
- SSDEEP
  
  96:/zJl/WkutluEbuEI2JjLVg1mvR9N5tMzPfIJ3lZjMQ1utJpMFbg2MYhbUQiVP89o:rO1Y8C4R9NTMr69uKhQYu8La
Score

10^/10

guloader wshrat xworm downloader rat trojan
- Detect Xworm Payload
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  update.vbs
- Size
  
  35KB
- MD5
  
  dae93d3eddca85b787392d52c5a6fc75
- SHA1
  
  0910dde04380ab5a7331476b27a33789aac76524
- SHA256
  
  96f6c7e573af91ae336eddf40d48ded90ff4df69e510791b715f6941fd795b8b
- SHA512
  
  3d6a4e360710247a9c9a16bbc450984341426eff7b51f433ce640f4be32ef893eaf093316124b675e73a2840523314c0f7e7aed8725867e3b1d80f54c73d4aa0
- SSDEEP
  
  192:96EQ6mlKX/DZp2ZSh0RuzX+yvpKkKWKQ5DcYUvhAqkw4KBK428rKp9KZKySB3Kj7:24/XrvkBD0kJdc4fWpw0fB4
Score

10^/10

persistence xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  windows.cmd
- Size
  
  66KB
- MD5
  
  3a56f31eda19041d7ea9aeab089847eb
- SHA1
  
  1ca9985ab27390bdd710c5f6d09af344b69ed56b
- SHA256
  
  562cc7b2b867668ff252095a3bb3dc0641428fddd6ea23cfca475541fc10cbf9
- SHA512
  
  1c633d473ed3ac06acfb06f012e5c7e0dc8402b8bba9680a4b97fe5282a5f8614331b2bed6132fa4d583f67022aa5ef0a7b96774cda94861c396be2250d149ca
- SSDEEP
  
  1536:gElMViXyqGaO24iKbBG6IV3VvhRvRt/rCwIK4GfFjR:gn71aO24FdG6INVvhRptTCSNFjR
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Blocklisted process makes network request
behavioral15 behavioral16
- Target
  
  windows.vbs
- Size
  
  7KB
- MD5
  
  69702b8327399b8d3760db7e510e622e
- SHA1
  
  55c83e0de9bcd2ccc8b11385f16b6d24342a6089
- SHA256
  
  4013aa47bf4a230774f2ee75c75820f36d0b5acc737458fe8574420a0828b10f
- SHA512
  
  58825fe255aa671611967cb3af9f12e3eae2700307b8dc254510445e182b898bac2aa190b7146a3a44ad8b82ccd54b93e0ca2d79d0cc1079e3f1ab604eb81cb6
- SSDEEP
  
  192:ODRgXEa7LYGh+9aQPaEXvJe6MSKKWiOWWfpWqm:gRgXEN5vyEXvJebJlm
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Detect Xworm Payload

WSHRAT

Xworm

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Drops file in System32 directory

Detect Xworm Payload

Guloader,Cloudeye

WSHRAT

Xworm

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AsyncRat

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18