General
-
Target
https://gofile.io/d/JwlP3t
-
Sample
240727-dv3n4sxanf
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
127.0.0.1:37029
147.185.221.21:8848
147.185.221.21:37029
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
147.185.221.21:27469
-
Install_directory
%AppData%
-
install_file
astroGG.exe
Targets
-
-
Target
https://gofile.io/d/JwlP3t
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Modifies Windows Defender Real-time Protection settings
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload
-
Renames multiple (3949) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1