asyncrat

General

Target

87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
Size

167KB
Sample

240418-b1m5hafd84
MD5

d0685487fa7e474e68a40a1b1ff49b60
SHA1

069285708e07814d852bbd5f39a7ffbb3c9e2d94
SHA256

87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
SHA512

eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
SSDEEP

1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

dentiste.ddns.net:7000

86.68.222.14:7000

51.254.53.24:7000

Attributes

Install_directory
%AppData%
install_file
Mise à jour carte CPS.exe
telegram
https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hoyqzolrquxmbnzaee

Attributes

delay
1
install
true
install_file
system.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/ckrnc4Uk

aes.plain

Targets

- Target
  
  87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
- Size
  
  167KB
- MD5
  
  d0685487fa7e474e68a40a1b1ff49b60
- SHA1
  
  069285708e07814d852bbd5f39a7ffbb3c9e2d94
- SHA256
  
  87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
- SHA512
  
  eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
- SSDEEP
  
  1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4
Score

10^/10

xworm persistence rat trojan asyncrat stormkitty default spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables attemping to enumerate video devices using WMI
- Detects executables containing artifacts associated with disabling Widnows Defender
- Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing credit card regular expressions
- Detects executables using Telegram Chat Bot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2