asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

19042024_0735_google.zip
Size

33.6MB
Sample

240419-jgm96ach9x
MD5

b8c2264581d1327bb282e3e71914676f
SHA1

d65cf9bbd1cb8d4bb0d736575b4283d4b62f8a91
SHA256

d4f575cced861efb0d1d18469cc0ec6da2df483bfee7e1b22769f1d088e12dc4
SHA512

f5fe961adfd2405f343d5682eee23f5966aab5f7616b01d214af6a2ab628c8b04f0333b027c0676f21e75e94ac26e55225dd4bf8808999d49453e2a27bd53e71
SSDEEP

786432:66ELfONo5NXT4rW7R0jz9RZWxfn07oeUUGetl2DjJKJ9sCBpKRNkBnADW4W2Megu:/ETKo5NDv7Roz9R4fnSiUhTIjkJreRQK

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

kdfsv.duckdns.org:8890

undjsj.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

kdke.duckdns.org:8896

Mutex

QEL4wgqwsRH2WthB

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

3.1

nmds.duckdns.org:8895

jdokds.duckdns.org:8895

Mutex

O3B5rRVaa3oX74CD

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  google/INVOICE-RVSA03HDSVBA.url
- Size
  
  150B
- MD5
  
  d5c34720ad7e0e29bcd724c00ac9491e
- SHA1
  
  8d59449befafa7b638bf364d4467de187282d4e7
- SHA256
  
  dce876e5de5ce757fd8e9a6ee85b194e151c1ace3be07f361356ca5d62251a81
- SHA512
  
  5f79513aa958de3c66f1b137f52321f8f4408fdfa64efc19ef72fedb02d898807b6e2b5689b9fa3edc129e2912e5cdc706abeea42890ce8645fff6ff777efd34
Score

1^/10
behavioral1 behavioral2
- Target
  
  google/INVOICE-RVSA03HDSVBAA.url
- Size
  
  149B
- MD5
  
  a24d9a27e90f312716c1b043563acbe2
- SHA1
  
  469084d448acef98df310716aea90a8cbd7524c6
- SHA256
  
  bb3a6fb019866692164261ca3df1c910831939107cbb14e2ca6c897d164b8a3e
- SHA512
  
  8f97eb3c1dd5515c2b62b26e2e8fec58542ffcd10bc7d63c0d8dfd1557457b9405509f3be582788024dc113bc6ef20a1e421b44b32a1a790be7f31e9f1070f0b
Score

1^/10
behavioral3 behavioral4
- Target
  
  google/dial.lnk
- Size
  
  1KB
- MD5
  
  b42626d610570601118af8b237e3b710
- SHA1
  
  4d56996318e9186c2705395dddb442e54e3b81c7
- SHA256
  
  612272923012bbff2a2ed5d7cb75954213b625b53bc74ad124f53f21b1f56992
- SHA512
  
  17a2d046a8a69b2ef11b249cd0374ba81fa7f2b1db7bcd92b2ea8252f137c02caa8dc0e1d27d8808085ca425da6b83c66f18e0bff9da2e8d31fd45062ba9d77e
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  google/file.bat
- Size
  
  2KB
- MD5
  
  47737b3cdff92450dfff3b683b940b00
- SHA1
  
  1f3e5a8b0481e789b95322ef0a8492c07838259b
- SHA256
  
  76c376c91bdc33f071b1bf4bc299d058d11bad330c1726711f679a5cdbeba7da
- SHA512
  
  e7d14ca6777ac2e770bcd7dd048ace050e2c25d975fddf2bddfccc4c69fa659771b6856db4e913d2059dd6ace66982fcdb5c8dd9034c84bf2514f5e9736903d0
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8
- Target
  
  google/file.ps1
- Size
  
  13.0MB
- MD5
  
  20788a06a96ae4d92417ace4661d559a
- SHA1
  
  239d40f67c27ae2e70c698237a3b27401ef5d37a
- SHA256
  
  8cc2612a8d44d4aebad26bd6ea254ad25f959497391ccfff127a56fad42eb4d5
- SHA512
  
  c3bcb3bbf117a933738a85590cf98f0fbd7f995c2b5a559850f089111aac87a774c42110da4237f31bd49a9d7ae2751d77eb3f72aac130c81163c13d58383511
- SSDEEP
  
  49152:QZuX/CRIRerx1exkxTf0i0vcfo/wFlAPp5Bl0jNlD33oi:
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
behavioral10 behavioral9
- Target
  
  google/file.vbs
- Size
  
  112KB
- MD5
  
  29610513449d2e86092c8ebb5489c714
- SHA1
  
  92e5fa9c0dd723c3fa91342883348364514a297b
- SHA256
  
  6f31464838059f8884d38ebd4569e5fba95562724baa0269213aeb18d000d258
- SHA512
  
  18e3f8680fd21f5db3a527d137109e273727b7531d52dd15c47f3a96fcc80bd9ca1acec33ab9987e687d3d5ced41dc3f1c97db2ba4cf3f50bcad403a2cae9e4a
- SSDEEP
  
  1536:2q7JZCQkx0kU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:2q7JZCQAZU1DHFUGmgURDFBe0tKl9CP4
Score

10^/10

persistence xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  google/iz.ps1
- Size
  
  1022B
- MD5
  
  a2c5ac23463aba29658f4857a9dc3c36
- SHA1
  
  051fd9d95aaded97058bfc4f6183bfd92a6e66fc
- SHA256
  
  c1235f0cefde4c3e8ebe26b07159505ca219fcfd7ef2dd75433ebfe424343a2d
- SHA512
  
  66c09ef0c5dc9ed94c9848a5d056ba63249439320569e86408817bcb677265b51ab10b9a4c0f5ac0d56cc09d4859a492741e230e0ffb50f2553e797c604424c2
Score

1^/10
behavioral13 behavioral14
- Target
  
  google/kam.cmd
- Size
  
  63KB
- MD5
  
  8c278ad6dd06fbcd0a767e744b62c785
- SHA1
  
  e30a7793d54f89e1a364e0fbe710686c43a7be88
- SHA256
  
  7be0bbf4d2a43ff457f55453d03b1cd85b7541396f7823ae51003b271fa0b0bc
- SHA512
  
  36721787b046e00e3d183e7d83cdb3263ae151fd080e57e331e0f10667d04fca5412092249920f6566d5d8a640ecb819539103e1606599095be0af7fe9fd18b2
- SSDEEP
  
  1536:r5JAG4vBFdvhBqi69GQys/xQ+sNIh/tQW9odEd/cLl:jSBFthBqiyZQzNFW2Ll
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
behavioral15 behavioral16
- Target
  
  google/las.cmd
- Size
  
  62KB
- MD5
  
  0f4e4a34957f9fe83f27d546b84a45b5
- SHA1
  
  061e7e22532a040216599172d95e4a6c9e182f5c
- SHA256
  
  017776a2a973c92abe751035c0ab51477a70c8f708f6b11f77d26a918f540550
- SHA512
  
  edf085d79f63e92fa4a991d3f0d89d638bac80ed7a625021ffe3bd7a10bbecd123a433e29f213d50e93a39954f23b1ae2c639a8cd7795f186423440514455329
- SSDEEP
  
  1536:BaaKPbwiQ6umEAOHVGb6jxS7C2NxQlZgwJjALiqn/VM8g:BaapiQ6XOHwb6jR2Nx0JjALiqn/VM8g
Score

10^/10

xworm zgrat rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
behavioral17 behavioral18
- Target
  
  google/pw.ps1
- Size
  
  13.0MB
- MD5
  
  249ff445b626b67825fac1bddfc438fe
- SHA1
  
  04e58edfaf33614dcdbcf8e83f92eca2b54ef0ca
- SHA256
  
  b3b5020cc31affe0bfe606f66f02ca7467a1c9fd403c46ccf8a3b884b8a67443
- SHA512
  
  2e364f28a692fab129d171627b06a0c422074dd56d94348962919ee8793fd35eaa092418c8d3f9a2a54a9d9dc69a72c77b159d5cdcc690e280f78dcb4e4e07b9
- SSDEEP
  
  49152:UZeetsZuLotjcY3pFrWRxAOio2FETy6QpV/:
Score

10^/10

xworm zgrat rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
behavioral19 behavioral20
- Target
  
  google/py.ps1
- Size
  
  13.0MB
- MD5
  
  7b39704c31b1737acfe3fd4d5c2b484c
- SHA1
  
  21afe7606b8b55b6f99e7bfb798a1f82a1c1c96a
- SHA256
  
  d8fb42967c3a5ad703a9bfa2ed0a5e037646e9f04e55009220b94a8a8326b564
- SHA512
  
  e47887922094c24e4855c6e3a5d124de817ced17a87e7e7cdd8129e851cc3054e27c958c0c784167b743669dfa2786abd3f8e1524b2c4c2bcb7acde54b1a4357
- SSDEEP
  
  24576:rpyaxmgWghevRgMNxAuL9jZXOPFIsKgSo2cMkTCJeyS/eM8dCXqNb9m6Kx/pOgWW:6mVhTP3+SVb02XpOoxz3pM1xqZzSXX
Score

10^/10

asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
behavioral21 behavioral22
- Target
  
  google/quark.ps1
- Size
  
  13.0MB
- MD5
  
  918d10fa6fd003a0bea73d2ba50538e0
- SHA1
  
  a089fbb17927d4a84d25e910b3d0cc7ea12faf1f
- SHA256
  
  4e842547867c928696600f51943bb9611adb9afc4741358fd5a97f28dcabfcf5
- SHA512
  
  a442521361cfdfd43f13250cb2b995a6e20713cf5559b504b2e3bc38ef12106a44f9e2eb279be200d73fa74559eeef7fa884d5dd2d85338dba846483290c1638
- SSDEEP
  
  24576:rWFjASpSiK44861Lh5Z5wt0WxLQ/qA31hC/v18Oa7OPgp6YxuYTj3bfQJ3gFKpLh:SyItZfFNKCIRqiEu54Hvp1jW1o96lj
Score

10^/10

xworm zgrat rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
behavioral23 behavioral24
- Target
  
  google/time.ps1
- Size
  
  13.0MB
- MD5
  
  d29cd28669066f49c38744164a8f44f3
- SHA1
  
  928fe3573053822d55a9bfcc7790ce1cbde907f1
- SHA256
  
  d6cc2576c06a2c08834e11734dd4b7aae559ddb335e901a98ec215cec315f489
- SHA512
  
  b66db9fc5d501f0207f01e622a2aa99eca7f2d5e1d0a3eaa2cbab510f39d4cae4fe0a557dc697515e426791bd29125e7811ccaf2ae8a5a8b635f7008eb0522e1
- SSDEEP
  
  49152:cNvbOQjSUP4oM+ymOWEMK0aG59jNA/0v44:
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
behavioral25 behavioral26
- Target
  
  google/update.vbs
- Size
  
  111KB
- MD5
  
  94feecc2b69e9b1557f88b827dc3cbdb
- SHA1
  
  929227dfec9f1525958075ca46611b5cf04173b1
- SHA256
  
  464b5f5018afa78fbbbf600f035c777574acb6d3074bc86cbc18d1a82bc0d22c
- SHA512
  
  82589f8b832fc614062425855d9eef4651a0fbf6bdbec380955ecd1f1ead874b19a338bbdb71631d8dada3ac71a1e4d90e3290705d5f443878ee5b864f499489
- SSDEEP
  
  3072:7DGZL8GCViU1DHFUGmgURDFBe0tKl9CP4:7CZLO
Score

10^/10

persistence asyncrat venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  google/upload.vbs
- Size
  
  111KB
- MD5
  
  fd209cb2a6b4b2a30bdd555b6bfe07de
- SHA1
  
  4254546335db28c8e01ffa222660e64726d655b4
- SHA256
  
  479619ff2c733e5a890826c88fa2fa827a380275899b0390a59622c1a3bfa53b
- SHA512
  
  e9f2332a6f054c77a68714856057e55a971b59ebf0f987b5b2b26dcd41320fc6c19b844a897f8f8830031d210a6bd0a75bb2981cf91ac3a283ec575c6dd16902
- SSDEEP
  
  1536:+MzRLjSUU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:+kLjSUU1DHFUGmgURDFBe0tKl9CP4
Score

10^/10

persistence xworm zgrat rat trojan
- Detect Xworm Payload
- Detect ZGRat V1
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  google/version.bat
- Size
  
  2KB
- MD5
  
  9ae07d6712738911e152d68f131ff92d
- SHA1
  
  dad1b3e80fcf87a39e14577eb8421cf5baccf9f8
- SHA256
  
  7ed6a024ab99ca25ac07d8484d53b8846493f17d8dfdfe941732433de5bac12b
- SHA512
  
  2e603bcd8ec0e5c71ea8e0ad01acca94270c8b756d92af40a8f0d4edd3f5e5e503f4b9a1968105f1d32b39b2be7ad27692fd7feb31e1b308bf285954c7040805
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Modifies Installed Components in the registry

Enumerates connected drives

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Detect Xworm Payload

Detect ZGRat V1

Xworm

ZGRat

Blocklisted process makes network request

Detect Xworm Payload

Detect ZGRat V1

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

ZGRat

AsyncRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Detect Xworm Payload

Detect ZGRat V1

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

ZGRat

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

AsyncRat

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Detect Xworm Payload

Detect ZGRat V1

Xworm

ZGRat

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21