Overview

overview

10

Static

static

1

.html

windows11-21h2-x64

10

Resubmissions

28/06/2024, 12:23

240628-pknb8ayhjg 10

28/06/2024, 11:33

240628-nnw8vszejj 1

Sharing

Copy URL Twitter E-mail

General

  • Target

    .

  • Size

    2KB

  • Sample

    240628-pknb8ayhjg

  • MD5

    7cdc8f61fb1fc3883598588051cdbe0a

  • SHA1

    92e76e7557196531dbdf862421178ecaf4e248e2

  • SHA256

    6e6856c0003a452f331ac9f2c7d73c28ca0d1924763b43544dfa1a65cc92b68d

  • SHA512

    0a74b11895cc550b98c0ae6b89afc1eb564920bc519ecbdc75a985d485f876f8ffa86afae021c1569c7767c6d4362a3e7acb4df3d373ffaf2bbe872c4d158309

Score
10/10
asyncratxwormdefaultvenom clientsexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

welxwrm.duckdns.org:8292

june9402xw.duckdns.org:9402
Mutex

7jnhTfSNWZuGGfkd

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

rvxwrm5.duckdns.org:9390

Mutex

7OXU3DwqjAAyqB4H

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

todfg.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    updateee.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

anachyyyyy.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ujhn.duckdns.org:8520

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      .

    • Size

      2KB

    • MD5

      7cdc8f61fb1fc3883598588051cdbe0a

    • SHA1

      92e76e7557196531dbdf862421178ecaf4e248e2

    • SHA256

      6e6856c0003a452f331ac9f2c7d73c28ca0d1924763b43544dfa1a65cc92b68d

    • SHA512

      0a74b11895cc550b98c0ae6b89afc1eb564920bc519ecbdc75a985d485f876f8ffa86afae021c1569c7767c6d4362a3e7acb4df3d373ffaf2bbe872c4d158309

    Score
    10/10
    asyncratxwormdefaultvenom clientsexecutionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks