Overview

overview

10

Static

static

3

windows_up...le.ps1

windows7-x64

1

windows_up...le.ps1

windows10-2004-x64

10

windows_up...le.vbs

windows7-x64

8

windows_up...le.vbs

windows10-2004-x64

8

fresh.exe

windows7-x64

10

fresh.exe

windows10-2004-x64

10

windows_up...er.cmd

windows7-x64

1

windows_up...er.cmd

windows10-2004-x64

10

windows_up...er.ps1

windows7-x64

1

windows_up...er.ps1

windows10-2004-x64

10

windows_up...rs.ps1

windows7-x64

1

windows_up...rs.ps1

windows10-2004-x64

1

windows_up...ad.ps1

windows7-x64

1

windows_up...ad.ps1

windows10-2004-x64

10

windows_up...te.cmd

windows7-x64

1

windows_up...te.cmd

windows10-2004-x64

windows_up...te.vbs

windows7-x64

8

windows_up...te.vbs

windows10-2004-x64

8

windows_up...ad.cmd

windows7-x64

1

windows_up...ad.cmd

windows10-2004-x64

10

windows_up...ad.vbs

windows7-x64

8

windows_up...ad.vbs

windows10-2004-x64

8

windows_up...ws.cmd

windows7-x64

1

windows_up...ws.cmd

windows10-2004-x64

10

windows_up...ws.vbs

windows7-x64

8

windows_up...ws.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19042024_1547_windows_update.zip

  • Size

    17.1MB

  • Sample

    240419-jnprkacc56

  • MD5

    c427be2b5a8b0bb8059c713818a67039

  • SHA1

    87841c0fdbc05ef31131bc7810466b6fc2290789

  • SHA256

    b471f3f22ac4c66fcf7419df31431552ce8f5ac8222b1398e0d1016824e95dcf

  • SHA512

    961a2001a7f8698ec8f255c7834f1c85adf92205981eca3b0e5563c2f08414c732e822b0ca28d8ac3e371c58a74dd7fe8122b4645ab0cd56810f45a449b47748

  • SSDEEP

    393216:IKnuyR8OELfOxKWo5N5VYpGdWrWEWRrCCBpu9RNkX93nM/DXwx4POCy1etBKeOf3:I6ELfONo5NXT4rW7R+CBpKRNkBnADW4g

Score
10/10
asyncratxwormzgratdefaultvenom clientsrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

jdokds.duckdns.org:8895

Mutex

fR94ukDUyBXXff7e

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

C2

vbdsg.duckdns.org:8896

Mutex

FEi0RCvFfWeSuiKb

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

bagdg.duckdns.org:8887

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      windows_update/file.ps1

    • Size

      13.0MB

    • MD5

      20788a06a96ae4d92417ace4661d559a

    • SHA1

      239d40f67c27ae2e70c698237a3b27401ef5d37a

    • SHA256

      8cc2612a8d44d4aebad26bd6ea254ad25f959497391ccfff127a56fad42eb4d5

    • SHA512

      c3bcb3bbf117a933738a85590cf98f0fbd7f995c2b5a559850f089111aac87a774c42110da4237f31bd49a9d7ae2751d77eb3f72aac130c81163c13d58383511

    • SSDEEP

      49152:QZuX/CRIRerx1exkxTf0i0vcfo/wFlAPp5Bl0jNlD33oi:

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat
    behavioral1behavioral2

    • Target

      windows_update/file.vbs

    • Size

      32KB

    • MD5

      263f1c42f74c0012000082b4491c5633

    • SHA1

      dd5e52905e076f64edf70e4ec6df184023da41e5

    • SHA256

      ee55a816496e57c37a7d0451fc0122e10487dc91de31ff1ca6e25e38b898c5ca

    • SHA512

      184c6a5522ad67ecd1f4568faa050c721e8559f8c9ef38bbfbd7fd47b472aebd08a09f74064ffd3f2d2a53df985886172817691e97a7a9a2046e02f2ea288265

    • SSDEEP

      384:+D2rWxptVYVLrOSZA0fE2qhQpEXeePEm/dvraAwYdtQRqsWigCL53MTx+Y1VcJzS:hroVYV3vXp3AlEYdCL53ugFCaOK7in

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral3behavioral4

    • Target

      fresh.exe

    • Size

      345.0MB

    • MD5

      33f67337db523a8a1610dc39702e6a9e

    • SHA1

      67783aaeb5499cd450094c5f1d20c15a4017e903

    • SHA256

      9f0c26a9ee59081531ac9c4d5cca894cf9933e4fdbb6cc9cb9db4a614c79bb91

    • SHA512

      da148c37f5631dc94ef545cdccf95f7c8aa59cd5d49666982333082c05ebf9a1cc27c4f64dd117408fe1b49a65a588fdc034ffa8cba187f461cc372c5c8e0602

    • SSDEEP

      1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      windows_update/loader.cmd

    • Size

      98KB

    • MD5

      4dd85169668cda84ba77526c00d33b94

    • SHA1

      c747c69b7b42f5df9955ef55712e6e7a62c51528

    • SHA256

      40d1eefe9d8d188d6db6183ead3409bb4f699c93cb70dd63cd905b37952a15c2

    • SHA512

      1cb472d78716de4d82bbf20cb94b1d38acedd1cfdcaffa6b2f5d321c6d4ee8b0d01fba6d2cd15c10af13b7f82176c4aea1c97b2dd877205e5a23aa8e247a0919

    • SSDEEP

      1536:IdG5FKZA2CbNUCUbqIby+r+4iDdi2qUfYiq3OnXswqBV/zR3QJVGq:s5ZneMDb/2qlZu8zBVlFq

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    behavioral7behavioral8

    • Target

      windows_update/loader.ps1

    • Size

      13.0MB

    • MD5

      918d10fa6fd003a0bea73d2ba50538e0

    • SHA1

      a089fbb17927d4a84d25e910b3d0cc7ea12faf1f

    • SHA256

      4e842547867c928696600f51943bb9611adb9afc4741358fd5a97f28dcabfcf5

    • SHA512

      a442521361cfdfd43f13250cb2b995a6e20713cf5559b504b2e3bc38ef12106a44f9e2eb279be200d73fa74559eeef7fa884d5dd2d85338dba846483290c1638

    • SSDEEP

      24576:rWFjASpSiK44861Lh5Z5wt0WxLQ/qA31hC/v18Oa7OPgp6YxuYTj3bfQJ3gFKpLh:SyItZfFNKCIRqiEu54Hvp1jW1o96lj

    Score
    10/10
    xwormzgratrattrojan

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat
    behavioral10behavioral9

    • Target

      windows_update/monitors.ps1

    • Size

      1022B

    • MD5

      a2c5ac23463aba29658f4857a9dc3c36

    • SHA1

      051fd9d95aaded97058bfc4f6183bfd92a6e66fc

    • SHA256

      c1235f0cefde4c3e8ebe26b07159505ca219fcfd7ef2dd75433ebfe424343a2d

    • SHA512

      66c09ef0c5dc9ed94c9848a5d056ba63249439320569e86408817bcb677265b51ab10b9a4c0f5ac0d56cc09d4859a492741e230e0ffb50f2553e797c604424c2

    Score
    1/10
    behavioral11behavioral12

    • Target

      windows_update/payload.ps1

    • Size

      13.0MB

    • MD5

      aea7b9b583a8e559ccf1503c91dcc642

    • SHA1

      24106218bdc2a8480ba431931ca8e32a3a86e1b3

    • SHA256

      3645de345bd6e490b1a3db479a1b21c80685b0ad6364ba0d10aa1f19b845ac9a

    • SHA512

      a133713bac6fa9fef9e26bffc936792adad6205be89ae24a7ee80445d81719a4643cdde970b62117dc02da34b57d6d0feccab2689bcda4f54fdb4e7507dfa9f1

    • SSDEEP

      49152:+Xz+bisAu/wGr2wd3q35o+F0MCTW9XZk:

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral13behavioral14

    • Target

      windows_update/update.cmd

    • Size

      90KB

    • MD5

      1995b8e921de14413fcf1d3294ba2fa8

    • SHA1

      cf7b83c9b58645cbc3b5608304d9a2edb27c2c9c

    • SHA256

      ed508eb52e48884b93032bd898800e64e0126f888c7da127ca53c3607c56042f

    • SHA512

      184f136d9f2d5e20849908ecfdf1e0cb6e13b442324849d6bbe3e8204e581d904092084bd1a1a852723d57153ea7764353c77b23b94ae1d12261baa27026efbe

    • SSDEEP

      1536:FNUAiGNMG4ADcXo9zIvLC39cvE5mLToyG4YVMTrSpmXKfmsbvXej0cN7NcOsIcdt:FNUAfNbDc49zb3TALT5nYyTWpmGmsTcy

    Score
    10/10
    xwormzgratrattrojan

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    behavioral15behavioral16

    • Target

      windows_update/update.vbs

    • Size

      32KB

    • MD5

      63a573c0ded47d45d6fec8d6ea4617ae

    • SHA1

      3e9f8761ad186ddf6c95cb8e537686c39524a041

    • SHA256

      090a419c6597180b477d22883d1f3292e8079760e5931df372829f746c2ed35f

    • SHA512

      06734b55932fc353c5db15fa1b6a0b8dbf54df1afc8a97cb85e4ce84422311585dc38168230cb757b5357fcd52bfabfd5f256d06a5a1764b67e91ef06a306cd8

    • SSDEEP

      768:NvaEN4C7nPP12SNRlOMldgdmD1N73ugFCaOK7i3:7LRo87e4Cani

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral17behavioral18

    • Target

      windows_update/upload.cmd

    • Size

      92KB

    • MD5

      eec37f3bab24fc7fe9a522d510d3846b

    • SHA1

      5961dd62caf4dc3f48542355638809de85a5458c

    • SHA256

      6f38e42f0d28197b443480c15321d5ac16589bb0d539946925fd3345bcef2885

    • SHA512

      0af4df57955d12d602b7d98eab7550a99ef0cd570f56d0ea11f8751ed62cc15ab5a871b9c76b2611c6caebce32cd3d1a013700249ed07caeddb965405b67e0a0

    • SSDEEP

      1536:xLybdutPYfy3HuyZA6fhiTq9LX9lc+ubMK/RF0w3kNR8bLOp8Ek5X90xzHiuzO:B6dutPYIOyZphEUX9K3bMuBkNw28dLwC

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    behavioral19behavioral20

    • Target

      windows_update/upload.vbs

    • Size

      32KB

    • MD5

      e4534ded9ec68260823a721bcd33651d

    • SHA1

      8a063bacf5970f15faf9673e981199c3857a33cb

    • SHA256

      b0ad6203ee18e54d5629d75022394f0017a148f153bdd9c9bda1e13607d80da5

    • SHA512

      76d2de40c43fd43674d48db4408287ea1e25b54d9fdd088f3a01b4320892517c92121ec6334978db8726134df0f9d66790135f6dbf591d422d977c98835000ec

    • SSDEEP

      768:Oa+p6KNlEbk7WxSPQeXutoP7pBk3ugFCaOK7ip:h+6k9hke4Cang

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral21behavioral22

    • Target

      windows_update/windows.cmd

    • Size

      109KB

    • MD5

      fb0037160a00b86b8418ca6efedbafdb

    • SHA1

      50cab1c16ab95af09fab1b3dbc8b0ee9960bce2e

    • SHA256

      15378788a250cc88796c95c360aea5f0fabd7ff540b68974c930e9907fde7810

    • SHA512

      07362a7b1d665477504cc177f1e208ccb8242a40b3aae6c213527a2baf04ba444584097dad034ffe3fc8eeb176d02125f99f23041840e66ed1fb990b7655e654

    • SSDEEP

      3072:JpGKToitW8Jc86cKdN18shPU54CEd3gO8mjxuWrMz:TTVtWWv6c+N18shH+OxfrMz

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    behavioral23behavioral24

    • Target

      windows_update/windows.vbs

    • Size

      32KB

    • MD5

      14e7c231587a609351a171621bb7e0c9

    • SHA1

      fb88a224c091b4d58c81b4e061e7bed556bd84d2

    • SHA256

      5cc2629af63fe5cda370a8a087af9a01027ff4ae22d1410e88d85deae29e89cc

    • SHA512

      98c05575996b098e592c39643a0aea996bc39575b1f13ca6c8f8f51f945dc841c1fee4785034f27cf9e957099b83abc162306d5eb30054a4fac5fad18bd4e89f

    • SSDEEP

      768:+7+assVao+vDdY+aYtA6sQbbtNmIWMo45L/quDqa3ugFCaOK7iY4SnWnru:+WsGbbtNmIWMo45L/quDqae4CanX4Sn1

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral25behavioral26

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

asyncratvenom clientsrat
Score
10/10

behavioral3

Score
8/10

behavioral4

Score
8/10

behavioral5

xwormrattrojan
Score
10/10

behavioral6

xwormrattrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

asyncratdefaultrat
Score
10/10

behavioral9

Score
1/10

behavioral10

xwormzgratrattrojan
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

xwormrattrojan
Score
10/10

behavioral15

Score
1/10

behavioral16

xwormzgratrattrojan
Score
10/10

behavioral17

Score
8/10

behavioral18

Score
8/10

behavioral19

Score
1/10

behavioral20

xwormrattrojan
Score
10/10

behavioral21

Score
8/10

behavioral22

Score
8/10

behavioral23

Score
1/10

behavioral24

asyncratvenom clientsrat
Score
10/10

behavioral25

Score
8/10

behavioral26

Score
8/10