General

  • Target

    XBinderOutput.exe

  • Size

    3.1MB

  • Sample

    240803-tn54naydjr

  • MD5

    e18e846d4bdb6ef41cf0f0a27aa9f512

  • SHA1

    72b3cb545c09e18f0398dd0ab5ff97ce11cb6444

  • SHA256

    48d4f67b8b47513692ff94bd7716e8ca086752d5944af72e9404156ed8e31a53

  • SHA512

    c6e67e0f58666883f388c247fde1680028756ad0c6dc7421b45d3d3b9623abeb10c982999a8271e9b76b851fac70797c98a999bc22507d831108c2343b877633

  • SSDEEP

    98304:Xsee+YP9EONeQXCmKUgjVVO6BEr+49yOwboZZh:8eeBP9EOvtKUFM98Z

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

form-fly.gl.at.ply.gg:41810

Attributes
  • delay

    1

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain
1
CGbdZizQ9VtJakciom6aqaQYRJpfdxDN

Extracted

Family

xworm

C2

and-statements.gl.at.ply.gg:43442

Attributes
  • Install_directory

    %Public%

  • install_file

    discord.exe

Targets

    • Target

      XBinderOutput.exe

    • Size

      3.1MB

    • MD5

      e18e846d4bdb6ef41cf0f0a27aa9f512

    • SHA1

      72b3cb545c09e18f0398dd0ab5ff97ce11cb6444

    • SHA256

      48d4f67b8b47513692ff94bd7716e8ca086752d5944af72e9404156ed8e31a53

    • SHA512

      c6e67e0f58666883f388c247fde1680028756ad0c6dc7421b45d3d3b9623abeb10c982999a8271e9b76b851fac70797c98a999bc22507d831108c2343b877633

    • SSDEEP

      98304:Xsee+YP9EONeQXCmKUgjVVO6BEr+49yOwboZZh:8eeBP9EOvtKUFM98Z

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.