General

  • Target

    Setup.bat

  • Size

    11.3MB

  • Sample

    240710-wqsbpavbna

  • MD5

    9aff8574d8d61060a26322de49f6e224

  • SHA1

    a54fefc6c1f686df660a49dd27f343b156e7bedb

  • SHA256

    a1605f71cbcf4725e72b5420c5c8a1c95d7e7a0b0f3b6c362da595630156ff44

  • SHA512

    0c31c2b9a03345e0794a0c792c998e7612e6bd739aa1e54b3362d4a9b4138f0bfbaa6fd9cfc0f09dae4f28acac3e7b85f1d5a5ddff50ca3bdc97648585911d1e

  • SSDEEP

    49152:Ve5orIoZAQ8VbY1a5csL7A1P5nfq1HTQ+HORrunnSc65rtrYY2I3yhyJglRfZ2kY:n

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    Winhlp32.exe

Extracted

Family

asyncrat

Version

- Made By Mr.Joex

Botnet

Default

C2

times-rest.gl.at.ply.gg:6286

Mutex

ndimkoqfvoe

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
HWTRD3wogSdAxp7C3fRNxXP4cnu1tMoo

Targets

    • Target

      Setup.bat

    • Size

      11.3MB

    • MD5

      9aff8574d8d61060a26322de49f6e224

    • SHA1

      a54fefc6c1f686df660a49dd27f343b156e7bedb

    • SHA256

      a1605f71cbcf4725e72b5420c5c8a1c95d7e7a0b0f3b6c362da595630156ff44

    • SHA512

      0c31c2b9a03345e0794a0c792c998e7612e6bd739aa1e54b3362d4a9b4138f0bfbaa6fd9cfc0f09dae4f28acac3e7b85f1d5a5ddff50ca3bdc97648585911d1e

    • SSDEEP

      49152:Ve5orIoZAQ8VbY1a5csL7A1P5nfq1HTQ+HORrunnSc65rtrYY2I3yhyJglRfZ2kY:n

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.