Analysis
-
max time kernel
1775s -
max time network
1791s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07-08-2024 17:14
General
-
Target
XWormLoader 5.1 x32.exe
-
Size
256KB
-
MD5
dfad6480336587ed4ca5f713db8e5bc5
-
SHA1
61e57a8e6ccb6e46623f51726c1f5851724c4a58
-
SHA256
02f4c1fef324c120432c4d54cd97d4aef3eddc2c426b03f9990cdeef37bdf6c9
-
SHA512
6f19ea16ec970529a4b38edbac13e5229580fe29303a8b3e3b7646637f44d73434fdfb029eee33e26fbbfb91489cf7156cc1ec12c3658ddeacad340235121a85
-
SSDEEP
3072:jMSncRzAOFI2o8F7CSQkPKufUYFm5boDkf6d6xHA2ewhLapuvpAsZOyMqmyBeYV7:YSncRl3oQXC5bdfdl/GWGwqqm1
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
rat1
xfreddy2751.duckdns.org:6606
xfreddy2751.duckdns.org:7707
xfreddy2751.duckdns.org:8808
darkstorm275991.ddns.net:6606
darkstorm275991.ddns.net:7707
darkstorm275991.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
License.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.1 x32.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.1 x32.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE"C:\Users\Admin\AppData\Local\Temp\CONSOLEAPP1.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\NEW.EXE"C:\Users\Admin\AppData\Local\Temp\NEW.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "License" /tr '"C:\Users\Admin\AppData\Roaming\License.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "License" /tr '"C:\Users\Admin\AppData\Roaming\License.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\License.exe"C:\Users\Admin\AppData\Roaming\License.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD53facc93eb70a073f208f90955fb055cb
SHA18f04cf5b9c9164f82b7e77034eee62396f6c5bf0
SHA256608c73065d03ab7da0a0b8c8c3db3e073b2403a8d0249b9d684286f58e52dead
SHA512269fb263dd7a2f383c2442a43e98435c4ee0767eab55c77ce5ff2e169089739e746f70208baaac2e4459076596a6afbf3fc8960d1ce9b8f46e91f7e462bd649c
-
Filesize
63KB
MD5e2b473487e4b8429711aef51a68f56a4
SHA17d3119b07b951c68d17ae12e0764072a8c3d961b
SHA256c2ced27749e5bf8d9d01de0feb58ab40818c3f4339dd9c5898b2b6168be2ce44
SHA512ead5c2977428cd44eb98f48511dbce8e64f5544fc3f8cc3e706f24f5903eeca92207a07c18f089e4451f8ed5264c28b6e1e088437100cc6c7274432275d18dd1
-
Filesize
151B
MD59476a3f8c8569c6842fe1f64cf715618
SHA15a510f8702c54d07215e869f74497d1578fe1baf
SHA25644bddc947d2daff86f76cfc1b9532111b67c4bfe2af8e53c5a92d6789aa5d40d
SHA5126ded7decb418df8351834ab8b0a0c3e56f7b6cdc793b76956e2ad1797539e1c6add5aca1849d3d1ef1878572d47300be348e94d93806cabcd5339c9d6962c750
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB