asyncrat | ebbb1bcaa8c10a142bc149726fac6e4d235075dfd4acb33c83d419eba5b8f030 | Triage

Resubmissions

02-08-2024 15:17

240802-sn8zwayhnm 10

Sharing

General

Target

testoutput.exe
Size

330KB
Sample

240802-sn8zwayhnm
MD5

04896d586dfa7f3fabaa68ce99f54c03
SHA1

c2b1f452639879f593ff79837d6eb659f98ec329
SHA256

ebbb1bcaa8c10a142bc149726fac6e4d235075dfd4acb33c83d419eba5b8f030
SHA512

53eb676b95a94911546ff3a54195cd84fb0e618d161d7a5c0394df55e876cc8a04c39c403b9eb49ebfe89d666c670f750fd49918cfa621ea2458943487801de4
SSDEEP

3072:EKG/7z3B2pKDYGq7KIBBwRjH6Ee8jS9ujgrhfJkApfEX/UvpvwmBB3YXYSHXce:EVHB2FWIkeEBj9jClJk0fsUtJSHXc

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

and-statements.gl.at.ply.gg:43442

Attributes

delay
1
install
true
install_file
test124.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

C2

form-fly.gl.at.ply.gg:41810

Attributes

Install_directory
%Public%
install_file
discord.exe

Targets

- Target
  
  testoutput.exe
- Size
  
  330KB
- MD5
  
  04896d586dfa7f3fabaa68ce99f54c03
- SHA1
  
  c2b1f452639879f593ff79837d6eb659f98ec329
- SHA256
  
  ebbb1bcaa8c10a142bc149726fac6e4d235075dfd4acb33c83d419eba5b8f030
- SHA512
  
  53eb676b95a94911546ff3a54195cd84fb0e618d161d7a5c0394df55e876cc8a04c39c403b9eb49ebfe89d666c670f750fd49918cfa621ea2458943487801de4
- SSDEEP
  
  3072:EKG/7z3B2pKDYGq7KIBBwRjH6Ee8jS9ujgrhfJkApfEX/UvpvwmBB3YXYSHXce:EVHB2FWIkeEBj9jClJk0fsUtJSHXc
Score

10^/10

asyncrat xworm default execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionpersistencerattrojan