asyncrat | 93b258cd1286d96f63a9aebb45102c179a7c8df203a295c4626a2a5a020ee24b | Triage

Sharing

General

Target

news.bat
Size

18KB
Sample

240723-vnglqszgnr
MD5

0e66b4faedf4ff7af4616d075af9c48b
SHA1

0b0f1a69da674e980b3aefe8d6ae09cba654852a
SHA256

93b258cd1286d96f63a9aebb45102c179a7c8df203a295c4626a2a5a020ee24b
SHA512

dd2bb4ea44b773805ec277e2d28f3e9a82382067e59e429a83ce093fc33b68ea2299d89ffe5c26d6faa2ccab88d4aeb8345133a690db62d82e6db9955a62195e
SSDEEP

384:gTYcpQyuPmhDGEhtKCZLQD4vAUPUq+/cnodbc4uwXZwSTKB95B6jT9mr4QB:gTYcpQyuPmhDGEhtKCZZvhUq6vdbIw4R

Score

10^/10

asyncrat xworm default discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

157.20.182.172:7000

Mutex

iHRgIbaS0FTMce5d

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

45.66.231.150:3232

157.20.182.172:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

aes.plain

Targets

- Target
  
  news.bat
- Size
  
  18KB
- MD5
  
  0e66b4faedf4ff7af4616d075af9c48b
- SHA1
  
  0b0f1a69da674e980b3aefe8d6ae09cba654852a
- SHA256
  
  93b258cd1286d96f63a9aebb45102c179a7c8df203a295c4626a2a5a020ee24b
- SHA512
  
  dd2bb4ea44b773805ec277e2d28f3e9a82382067e59e429a83ce093fc33b68ea2299d89ffe5c26d6faa2ccab88d4aeb8345133a690db62d82e6db9955a62195e
- SSDEEP
  
  384:gTYcpQyuPmhDGEhtKCZLQD4vAUPUq+/cnodbc4uwXZwSTKB95B6jT9mr4QB:gTYcpQyuPmhDGEhtKCZZvhUq6vdbIw4R
Score

10^/10

discovery execution asyncrat xworm default rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

asyncratxwormdefaultdiscoveryexecutionrattrojan