asyncrat

General

Target

EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
Size

672KB
Sample

240813-zrvpzszgrn
MD5

f9ca73d63fe61c4c401528fb470ce08e
SHA1

584f69b507ddf33985673ee612e6099aff760fb1
SHA256

16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
SHA512

6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de
SSDEEP

3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:BIGiVNEn14IZVvisL43

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
MicrosoftEdgeUpdate.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendMessage?chat_id=5991331733

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendMessage?chat_id=5991331733

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendMessage?chat_id=5991331733

https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendDocument?chat_id=599133173

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=109642586

Targets

- Target
  
  EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
- Size
  
  672KB
- MD5
  
  f9ca73d63fe61c4c401528fb470ce08e
- SHA1
  
  584f69b507ddf33985673ee612e6099aff760fb1
- SHA256
  
  16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
- SHA512
  
  6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de
- SSDEEP
  
  3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:BIGiVNEn14IZVvisL43
Score

10^/10

asyncrat gurcu stormkitty xworm default credential_access defense_evasion discovery evasion execution persistence privilege_escalation ransomware rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- Modifies security service
  evasion
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Disables taskbar notifications via registry modification
  evasion
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Hijack Execution Flow: Executable Installer File Permissions Weakness
  Possible Turn off User Account Control's privilege elevation for standard users.
  defense_evasion persistence privilege_escalation
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
behavioral1