General

  • Target

    planet x v5.bat

  • Size

    448KB

  • Sample

    240528-rs9ljaab37

  • MD5

    8c4ca851ec8c215035857784815134d2

  • SHA1

    2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f

  • SHA256

    c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

  • SHA512

    9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9

  • SSDEEP

    6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      planet x v5.bat

    • Size

      448KB

    • MD5

      8c4ca851ec8c215035857784815134d2

    • SHA1

      2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f

    • SHA256

      c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

    • SHA512

      9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9

    • SSDEEP

      6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks