Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://ride-fatal-it...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://ride-fatal-italic-information.trycloudflare.com

  • Sample

    240711-vv6t7swerl

Score
10/10
asyncratxwormdefaultexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

todfg.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

welxwrm.duckdns.org:8292

xwor3july.duckdns.org:9402
Mutex

jAJi0qnpBIvDTnnL

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

rvxwrm5.duckdns.org:9390

Mutex

paSw6o6yxKyyWEhP

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

anachyyyyy.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      http://ride-fatal-italic-information.trycloudflare.com

    Score
    10/10
    asyncratxwormdefaultexecutionrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks