General
-
Target
https://youtube.com
-
Sample
240511-rpvm7sbd6w
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
rat1
xfreddy2751.duckdns.org:6606
xfreddy2751.duckdns.org:7707
xfreddy2751.duckdns.org:8808
darkstorm275991.ddns.net:6606
darkstorm275991.ddns.net:7707
darkstorm275991.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
License.exe
-
install_folder
%AppData%
Extracted
xworm
3.1
full-wet.at.ply.gg:38848
-
Install_directory
%AppData%
-
install_file
chrome.exe
Targets
-
-
Target
https://youtube.com
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
AgentTesla payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1