asyncrat

General

Target

new.bat
Size

53KB
Sample

240730-y3p37swgrm
MD5

902f4ecd4c40073cd9c8d5448075fa37
SHA1

5a91f98c5215ee6375dc6288f484ae370b289db3
SHA256

d13cd401cd3e151ecc1ddaba54245fbaadb91e76614f0ec7b203522a7fee8baf
SHA512

8c123b647a516a057a817173012f5632242ba0676d11ac61509d6cea876c366486d3059c0ba20b78de94a4bf5ea22a3a72b9ca81c14d0fb0effaabef1b2adfc3
SSDEEP

768:Bc6tDHus93xf8AeF07J28B7cyqr1fAGz7UqrBkhyuRlPrV0rohyOSeEIcNlYiLt0:vtxwVtb1FNFhV6VO/DOvRMpSYG

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

157.20.182.172:7000

157.20.182.172:8000

Mutex

iHRgIbaS0FTMce5d

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

45.66.231.150:3232

157.20.182.172:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

nlthbmfyadihv

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/zNe6NH5y

aes.plain

Targets

- Target
  
  new.bat
- Size
  
  53KB
- MD5
  
  902f4ecd4c40073cd9c8d5448075fa37
- SHA1
  
  5a91f98c5215ee6375dc6288f484ae370b289db3
- SHA256
  
  d13cd401cd3e151ecc1ddaba54245fbaadb91e76614f0ec7b203522a7fee8baf
- SHA512
  
  8c123b647a516a057a817173012f5632242ba0676d11ac61509d6cea876c366486d3059c0ba20b78de94a4bf5ea22a3a72b9ca81c14d0fb0effaabef1b2adfc3
- SSDEEP
  
  768:Bc6tDHus93xf8AeF07J28B7cyqr1fAGz7UqrBkhyuRlPrV0rohyOSeEIcNlYiLt0:vtxwVtb1FNFhV6VO/DOvRMpSYG
Score

10^/10

discovery execution asyncrat stealerium xworm default collection credential_access persistence privilege_escalation rat stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2