Overview

overview

10

Static

static

10

XWorm-Rat-...TP.dll

windows7-x64

1

XWorm-Rat-...TP.dll

windows10-2004-x64

1

XWorm-Rat-...er.exe

windows7-x64

1

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...ox.dll

windows7-x64

1

XWorm-Rat-...ox.dll

windows10-2004-x64

1

XWorm-Rat-...er.bat

windows7-x64

1

XWorm-Rat-...er.bat

windows10-2004-x64

1

XWorm-Rat-...I2.dll

windows7-x64

1

XWorm-Rat-...I2.dll

windows10-2004-x64

1

XWorm-Rat-...io.dll

windows7-x64

1

XWorm-Rat-...io.dll

windows10-2004-x64

1

XWorm-Rat-...NC.exe

windows7-x64

7

XWorm-Rat-...NC.exe

windows10-2004-x64

7

XWorm-Rat-...er.exe

windows7-x64

1

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...UI.exe

windows7-x64

10

XWorm-Rat-...UI.exe

windows10-2004-x64

10

XWorm-Rat-...ib.dll

windows7-x64

1

XWorm-Rat-...ib.dll

windows10-2004-x64

1

XWorm-Rat-...ib.exe

windows7-x64

1

XWorm-Rat-...ib.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xwormcracked.zip

  • Size

    5.0MB

  • Sample

    240812-qrybfatajn

  • MD5

    258df0481a803a54bad8a6da681b059c

  • SHA1

    7632d5f608bf8ee5bdba4a40b3a23dee91012fd4

  • SHA256

    aa086a05b25739860bae302f719b1213e98549da2c82da2a397f9b1e42c0bb9a

  • SHA512

    9dbcbca17ea948e4011d9aeb4bbe14cfc72a7c050548bb8ed0197ecda78362211dcb71f77e875d83b2b845f8662b12718df8d54cd696291760e8797f1b1b3441

  • SSDEEP

    98304:pjAOrfOeXjeCSFFEYhuox9mv7Ys7q2f2iIRUeIV1iwLZnnpha7Vmlf0:pj/YCSFFEYfbA77q2+jS5nLbED

Score
10/10
asyncratdefagilenetdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

C2

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes
  • delay

    1

  • install

    true

  • install_file

    CCXProcess.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/CMSTP.dll

    • Size

      42KB

    • MD5

      00797469e557f752e30d73f654ac54c3

    • SHA1

      63e9c4308d885dc5ebc27235eb4e289c8321b655

    • SHA256

      1ae19061164d5ee2cf10866d99765d9f62e4f65a61581eccde5c2e938e454a73

    • SHA512

      6dec1d87cafd3fcaa2af076d621a1d069c012841e7e58cb12bd12b0922e82d0f19daa29a3ef28399c7f519e4bab1cf0ca73aba338eae85bd8d2cff27c6452cbb

    • SSDEEP

      384:frzfdimXUVwZb7M4A1aPycXmCLkVb1a/dWQZnqntywxmg1DuTfp7KHV3W06WIP33:frzU2Zb7HARummk8dNqtyz926WuOe

    Score
    1/10
    behavioral1behavioral2

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe

    • Size

      12KB

    • MD5

      f922206889c896cf2d86f21e9f9db7db

    • SHA1

      046b00f2edb34982db266d903627ced283f4a5ea

    • SHA256

      1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3

    • SHA512

      abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965

    • SSDEEP

      192:wLwX9CLPN0LjrJUMmYVY2aq3xWrhSaadrq8uSF3u:owNCLPN0/9UMme313UrhSJUSF

    Score
    1/10
    behavioral3behavioral4

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/FastColoredTextBox.dll

    • Size

      333KB

    • MD5

      b746707265772b362c0ba18d8d630061

    • SHA1

      4b185e5f68c00bef441adb737d0955646d4e569a

    • SHA256

      3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519

    • SHA512

      fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8

    • SSDEEP

      6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n

    Score
    1/10
    behavioral5behavioral6

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/Fixer.bat

    • Size

      122B

    • MD5

      2dabc46ce85aaff29f22cd74ec074f86

    • SHA1

      208ae3e48d67b94cc8be7bbfd9341d373fa8a730

    • SHA256

      a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

    • SHA512

      6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

    Score
    1/10
    behavioral7behavioral8

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      d65fd6dbbd3c9ac74139aeaedc4a5816

    • SHA1

      407ae10ccc8e19798bf75cb90b2150cb63a9db66

    • SHA256

      84199a22c8669a39800272c3da0d969ec4e8d77d67b9d324ca049953a5042c71

    • SHA512

      b8a99e88d49a6f9ff89339fa5acc9df8b59665d2ec22ccb4741e501bba6b280b00336906a637d8f071f86a4dcd68ca4ac86683e651466f084cb96d0e3152eddf

    • SSDEEP

      49152:ClU6fD73waJnBA5lV8jldVmIgA5iKOvhn:ClU6vznglEldVmIJi/vt

    Score
    1/10
    behavioral10behavioral9

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/NAudio.dll

    • Size

      502KB

    • MD5

      3b87d1363a45ce9368e9baec32c69466

    • SHA1

      70a9f4df01d17060ec17df9528fca7026cc42935

    • SHA256

      81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

    • SHA512

      1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

    • SSDEEP

      6144:96/i10SZtfzWctj98vZcE0wmLlaIZs5eku2sX2hrjAzvgmXa6W9FwsT9idwktQZG:9yrSKMJR9aGs55T1X9Fwspi2tGpmS

    Score
    1/10
    behavioral11behavioral12

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe

    • Size

      1.9MB

    • MD5

      4904329d091687c9deb08d9bd7282e77

    • SHA1

      bcf7fcebb52cad605cb4de65bdd077e600475cc7

    • SHA256

      e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

    • SHA512

      b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

    • SSDEEP

      24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr

    Score
    7/10
    agilenetdiscovery

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet
    behavioral13behavioral14

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe

    • Size

      3.2MB

    • MD5

      339b7f92641c0f5161731fc681aaeb3a

    • SHA1

      21d2d89e9ade90df638f33d314ac68e30f6aa52e

    • SHA256

      b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c

    • SHA512

      58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134

    • SSDEEP

      24576:o08GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35/5Mb6:4/TjrHWKWDOQko29ueJsq8z

    Score
    1/10
    behavioral15behavioral16

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe

    • Size

      52KB

    • MD5

      0c2d61d64f4325ca752202e5bf792e9e

    • SHA1

      e7655910a124dd10beb774a693f7caccf849b438

    • SHA256

      d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

    • SHA512

      1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

    • SSDEEP

      768:mqUR8bIL+Cyq+DiZtelDSN+iV08Ybygem++2O3vEgK/Jd/yVNNECVc6KN:mxIeZtKDs4zb1uBO3nkJIrqCVclN

    Score
    10/10
    asyncratdefrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral17behavioral18

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/dnlib.dll

    • Size

      1.1MB

    • MD5

      9ed69fbbfdec5d95ea229da3969dd77b

    • SHA1

      7972339f0a1b6a28a2f335c84cdfc5d9beee72b6

    • SHA256

      e8bc7a627149386cb3cf714ae0101f69440f72cf2e7468a677b727b32aaed755

    • SHA512

      61bfaa00736487ed736a27c1a9e45ce14b578452471866d195ce1a4736e72bd4bec98938b8cbb83ffbf09cbf188e9b8760452cc95ee30565414882aadd0171a6

    • SSDEEP

      24576:+9itfCdSZYeP0jsLpPl44znxuhv7fBTu1Z:W5QF6

    Score
    1/10
    behavioral19behavioral20

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe

    • Size

      12KB

    • MD5

      013965d8a511aec735b069e3ec027d4f

    • SHA1

      f2673470953b247525a6a54e53417fd844b0e816

    • SHA256

      27f8adbfd40471340ecf13950e143c0fdc7acade26458edf99781b4138cd4a02

    • SHA512

      fa0e8a2e78c34e6e6b3ab4c225f6c08356e024d900fdc6d3bcc69beb57a17c6c205a34c155d9766917b2fe769415fc4232fcdc9c0f7807c9c0c61ecd7bb13016

    • SSDEEP

      192:CFLcpUO6T4Y1e/T0YmYV52ZYu3hQWreHaadrq8uSF3:CFL6UZT4Y1OT0YmeoZ33h1reHJUSF

    Score
    10/10
    asyncratdefrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Tasks