Overview

overview

10

Static

static

1

a.ps1

windows7-x64

1

a.ps1

windows10-2004-x64

10

ib.ps1

windows7-x64

1

ib.ps1

windows10-2004-x64

10

xy.ps1

windows7-x64

1

xy.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    all.zip

  • Size

    5.7MB

  • Sample

    240422-xxdybaeh82

  • MD5

    66052e40613a6e5dc9fe179143b29e20

  • SHA1

    7ad79adf7eaeadd010f613436bef3fe33d4f2aab

  • SHA256

    ea07870d70da359ed77ec5a1c89e7ec2d125215323386e07c6e46f2438cda5dd

  • SHA512

    336420d2529b883b197c2aaf42886d8fe3da3f979050c4b6b9ade799d052c039ff54d9a3d0db038137832aa21042b724ca12a98e2bc241861d21a7865d25a8d6

  • SSDEEP

    98304:DptS1YBVDjIf7b/VMrADPl+ZdEn6w9b8c+GwXZEdSoWW8VDd17Uo6nuc2utY2u1Q:3SO3DjONMrAhmdEd2TpQ8VD0ywqgIMZ5

Score
10/10
asyncratstealeriumxwormdefaultcollectionratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

dcxwq1.duckdns.org:7000

Mutex

KuxjcUwK7YR0UBzc

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

dcxwq1.duckdns.org:3232

91.92.252.234:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Targets

    • Target

      a.ps1

    • Size

      2.0MB

    • MD5

      31a1fedf892c621a130af72087626401

    • SHA1

      388872a0a76a0dd09e2b4006bdd5df47cf213533

    • SHA256

      cb4de638ff8f7a39c116231167ddf2c12810c3cf924cb9feb587e746f0dee30d

    • SHA512

      6f02f77ce687ea1c220a5e8c7e74176930e2a527ed79d07d082cfc74c4e062eacd5ce72ac0b011cfa9150dcaa83cab280909bf7cdb9c22f5c4cdb2d4c3c95192

    • SSDEEP

      24576:5Vm+wL72rNiCumobcPioNJBrs54nSACpgjtI6l+UFwHA2/vU31SPKwJZC6nT+:j0Y

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral1behavioral2

    • Target

      ib.ps1

    • Size

      7.0MB

    • MD5

      c1da0728c1fc79cdc44abd4bd6f5e3b2

    • SHA1

      80d4c92051d0b94e3861af9fcceab3a22e23c3f1

    • SHA256

      e6b09d530c7cd92b3d71a149054e984494c989da9870d7fa26fb429f683d4d4b

    • SHA512

      6e3b389d2a755264e0e95de750f688042991d331d353fba1b6e6c773dace3b336cec39b9d22721b145b4fa898c1b2054c63b2b932d48274eaa9e64a7fed00d2f

    • SSDEEP

      24576:sebnxCzaFtccBb+gt3gsQI4gfsBiKHU3JjHoqcGIx/Dk/bPNloBYbgh39kU2x+NF:66HlxbhX003mRUtmUcvDd

    Score
    10/10
    asyncratstealeriumdefaultcollectionratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral3behavioral4

    • Target

      xy.ps1

    • Size

      3.5MB

    • MD5

      fd9e5bc22d85383989e43f9f0a07dfb5

    • SHA1

      2e0d60d4fb2b5322973777d7d1590392441a3bbe

    • SHA256

      06e8a246c8f2d03547a7f6ebeb4c5cf80495cdaf33057589d74c91feec313c34

    • SHA512

      4ecf593eaa94b623a0960ad242421b67dc03cabbd646bf7c54fd0026d312dbcc60030528d37de6b62bb2c8c1cefec335ba0c545f6277682fc3f948611c541fbe

    • SSDEEP

      24576:smT7UpKIdl/uwHg2POedtrX9/Q8m+3kVJOCTGz6U/cA9t99ke2wYIGCwGt2Gk/Ps:ibl1Mrzi9

    Score
    10/10
    asyncratstealeriumdefaultcollectionratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks