Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-08-2024 13:30
General
-
Target
XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe
-
Size
12KB
-
MD5
013965d8a511aec735b069e3ec027d4f
-
SHA1
f2673470953b247525a6a54e53417fd844b0e816
-
SHA256
27f8adbfd40471340ecf13950e143c0fdc7acade26458edf99781b4138cd4a02
-
SHA512
fa0e8a2e78c34e6e6b3ab4c225f6c08356e024d900fdc6d3bcc69beb57a17c6c205a34c155d9766917b2fe769415fc4232fcdc9c0f7807c9c0c61ecd7bb13016
-
SSDEEP
192:CFLcpUO6T4Y1e/T0YmYV52ZYu3hQWreHaadrq8uSF3:CFL6UZT4Y1OT0YmeoZ33h1reHJUSF
Malware Config
Extracted
asyncrat
1.0.7
def
37.18.62.18:8060
era2312swe12-1213rsgdkms23
-
delay
1
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"C:\Users\Admin\AppData\Local\Temp\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\windows\temp\uxvncov0.inf2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\x86.exeC:\Users\Admin\AppData\Local\Temp\x86.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
52KB
MD50c2d61d64f4325ca752202e5bf792e9e
SHA1e7655910a124dd10beb774a693f7caccf849b438
SHA256d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1
SHA5121205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46
-
Filesize
12KB
MD5f922206889c896cf2d86f21e9f9db7db
SHA1046b00f2edb34982db266d903627ced283f4a5ea
SHA2561ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3
SHA512abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965
-
Filesize
542B
MD55c23ac475d677288f01378eb90a7d32c
SHA18801e0122b4c2575bc8dcfbf04421a2c446dddf7
SHA2567f146ed6fa2a2fbde0cda5e2afc47d4987dc62b8d3edb75d4d7341653bcefabe
SHA51221c7ec4352e9c2c4a5472b4b5fee1372440589f27cd3f7b9bd756ce9d311b90c28fe82403cf8435119fc0ed13da03b6773f774b68128f1b280f7ecd5cafd4961
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
10.8MB