asyncrat | bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4 | Triage

Sharing

General

Target

install.bat
Size

192KB
Sample

240717-sr5rmazdna
MD5

a94e4dec22b09ea37e33fdfa3638e5de
SHA1

f90c1ea98c741bc63a3260721d1974962b9241ce
SHA256

bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4
SHA512

a747324043860c06f28d4d7880a1df9f2bfbc6563fd42dffa76f3425a123aeb9bef29a4706dd11851f25c58acbf0c2fdfed775d68e9cb888b88a77ff2c0c6e0b
SSDEEP

3072:GTv0B0ylSYSg4xt9mYNjvI6L41JOELI7m5Y+fk3T0dcZAIG0+BWtOy15c:Q0iyQC4xt4Y26c1kEU7uBuWMAISA5c

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

unique-emotions.gl.at.ply.gg:54742

wiz.bounceme.net:6000

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

card-buzz.gl.at.ply.gg:2497

Mutex

rotrzgmheqhT

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

aes.plain

Targets

- Target
  
  install.bat
- Size
  
  192KB
- MD5
  
  a94e4dec22b09ea37e33fdfa3638e5de
- SHA1
  
  f90c1ea98c741bc63a3260721d1974962b9241ce
- SHA256
  
  bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4
- SHA512
  
  a747324043860c06f28d4d7880a1df9f2bfbc6563fd42dffa76f3425a123aeb9bef29a4706dd11851f25c58acbf0c2fdfed775d68e9cb888b88a77ff2c0c6e0b
- SSDEEP
  
  3072:GTv0B0ylSYSg4xt9mYNjvI6L41JOELI7m5Y+fk3T0dcZAIG0+BWtOy15c:Q0iyQC4xt4Y26c1kEU7uBuWMAISA5c
Score

10^/10

asyncrat xworm default execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionpersistencerattrojan