Extracted

Extracted

Extracted

• • Target

    new.bat

  • Size

    54KB

  • MD5

    2f9e290249e705aa1ba5aacf057b22bb

  • SHA1

    f60ff4ced8c331540a10285bb7ca74b91486a9f5

  • SHA256

    56b8c6ac0a39cfe4cac12420f063371cf811116f70567641ff749d75fb9be912

  • SHA512

    98b2abc5caffc080741051cd00220e1b6ffa920670be0994777626816708bc368b106787985408665e5dd3cf31a9f2219000a0d17ca4e5a6dc52b6861658322f

  • SSDEEP

    768:06iORKR1BLWU1EWIOyNbZ9pSp2Mp7LC1QY3vMBnV9:eRiavmpSps1j3vMBnV9

  Score

  10^/10

  discoveryexecutionasyncratstealeriumxwormdefaultcollectioncredential_accesspersistenceprivilege_escalationratstealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Detect Xworm Payload

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2