asyncrat | 6020eb188059a9b681b03092198c2d243a8e5ea5040b1d00d5809f56b4276c0d | Triage

Submit
Reports

Overview

overview

Static

static

1

Loader.bat

windows10-2004-x64

Sharing

General

Target

Loader.bat
Size

264B
Sample

240708-1zdbcatdnd
MD5

aa1529cc2a98b4e40322ada6fc14fa97
SHA1

ec76803006b95a46bf1fa9c522ec2b19db448d52
SHA256

6020eb188059a9b681b03092198c2d243a8e5ea5040b1d00d5809f56b4276c0d
SHA512

c2680fa4125eb3da74727bd159a361e19678c5cd1efaa096b038b89e7408af34948b4ba1eebd9722626041b1e7fc52fd2e6c516e52c482ab361565f554dcc14f

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Loader.bat

Resource

win10v2004-20240704-en

asyncrat xworm default execution persistence rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

unique-emotions.gl.at.ply.gg:54742

wiz.bounceme.net:6000

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

card-buzz.gl.at.ply.gg:2497

Mutex

uE6w2BW3TJU0

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Loader.bat
- Size
  
  264B
- MD5
  
  aa1529cc2a98b4e40322ada6fc14fa97
- SHA1
  
  ec76803006b95a46bf1fa9c522ec2b19db448d52
- SHA256
  
  6020eb188059a9b681b03092198c2d243a8e5ea5040b1d00d5809f56b4276c0d
- SHA512
  
  c2680fa4125eb3da74727bd159a361e19678c5cd1efaa096b038b89e7408af34948b4ba1eebd9722626041b1e7fc52fd2e6c516e52c482ab361565f554dcc14f
Score

10^/10

asyncrat xworm default execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy