asyncrat

General

Target

XClient.exe
Size

34KB
Sample

240723-xrmy2ashrj
MD5

8bb9d79ea292fc23e600ebd7957e9333
SHA1

4e78c73a5383f14edc669260524da4bdd5130c36
SHA256

12631c9b83e06b20eb1727eff06e2d6e264e8c58d62ea6ee5d351d195af3502a
SHA512

35101121210917d2dfd34e48f1b29e8806637b58cd18a0bbf93da1ee6decfac12ce55c0820e22c691287c7572bcdba69fc5d134ba4834c015aa553250d6383d8
SSDEEP

384:+xYQVyqLSxEe4fIETsI5feQjFptmByujICLYFiiXmv50QAXnxF8QFhk58pkFyHBp:yrvaUuYsIQehkVFyr9eWTOjhmSDc

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

insurance-helmet.gl.at.ply.gg:31388

Mutex

wbZwsAW8h4Ee9jvd

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6758433214:AAHsOKdFy4qDz6vRHO6UQUpRG85G-wZvC1Y/sendMessage?chat_id=6234857847

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  XClient.exe
- Size
  
  34KB
- MD5
  
  8bb9d79ea292fc23e600ebd7957e9333
- SHA1
  
  4e78c73a5383f14edc669260524da4bdd5130c36
- SHA256
  
  12631c9b83e06b20eb1727eff06e2d6e264e8c58d62ea6ee5d351d195af3502a
- SHA512
  
  35101121210917d2dfd34e48f1b29e8806637b58cd18a0bbf93da1ee6decfac12ce55c0820e22c691287c7572bcdba69fc5d134ba4834c015aa553250d6383d8
- SSDEEP
  
  384:+xYQVyqLSxEe4fIETsI5feQjFptmByujICLYFiiXmv50QAXnxF8QFhk58pkFyHBp:yrvaUuYsIQehkVFyr9eWTOjhmSDc
Score

10^/10

asyncrat stormkitty xworm default credential_access discovery persistence privilege_escalation rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Modifies WinLogon for persistence
  persistence
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5