asyncrat | c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734 | Triage

Submit
Reports

Overview

overview

Static

static

1

planet x v5.bat

windows11-21h2-x64

Sharing

General

Target

planet x v5.bat
Size

448KB
Sample

240529-rxy1lahd7s
MD5

8c4ca851ec8c215035857784815134d2
SHA1

2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f
SHA256

c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734
SHA512

9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9
SSDEEP

6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

planet x v5.bat

Resource

win11-20240419-en

asyncrat xworm default execution persistence rat trojan

windows11-21h2-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes

Install_directory
%Userprofile%
install_file
Runtime Broker.exe

Targets

- Target
  
  planet x v5.bat
- Size
  
  448KB
- MD5
  
  8c4ca851ec8c215035857784815134d2
- SHA1
  
  2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f
- SHA256
  
  c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734
- SHA512
  
  9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9
- SSDEEP
  
  6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+
Score

10^/10

asyncrat xworm default execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy