General
-
Target
new.bat
-
Size
18.0MB
-
Sample
240815-xaelbs1hpj
-
MD5
35168f928a81982fc428113f484ea21e
-
SHA1
2029d685911c351cea2857e12c1755df330e4978
-
SHA256
496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344
-
SHA512
4b2dc4e91c04180cb372460231e75270252f389231d759bcd96af05dbb479647d39e860e3f22dcf7041e8ec214a1a12125e8ccf52cd26f87d13ee163d58726ec
-
SSDEEP
48:HmGJ3NlBmmTaQgTymDyb4J7rmxo6rmxoAbYk8OkeFhCaoe1aLHtZQ5ImvBSygyGV:H9FmmNfjwhSCu7OmLT7SkoLEu3S0yhr
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
momehvenom.duckdns.org:8520
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
3.1
momekxwrm.duckdns.org:8292
xwor3july.duckdns.org:9402
yh66xbyAobQEOS5f
-
install_file
USB.exe
Extracted
xworm
5.0
xwrmmone.duckdns.org:9390
jg6HwHbepPocwygj
-
install_file
USB.exe
Extracted
asyncrat
0.5.7B
Default
modsmasync.duckdns.org:6745
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Default
nanarchym.duckdns.org:7878
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
new.bat
-
Size
18.0MB
-
MD5
35168f928a81982fc428113f484ea21e
-
SHA1
2029d685911c351cea2857e12c1755df330e4978
-
SHA256
496ba960a9fdf59b00191e7750cfc3940fe5a49610988799cbe3d9cc5d3f5344
-
SHA512
4b2dc4e91c04180cb372460231e75270252f389231d759bcd96af05dbb479647d39e860e3f22dcf7041e8ec214a1a12125e8ccf52cd26f87d13ee163d58726ec
-
SSDEEP
48:HmGJ3NlBmmTaQgTymDyb4J7rmxo6rmxoAbYk8OkeFhCaoe1aLHtZQ5ImvBSygyGV:H9FmmNfjwhSCu7OmLT7SkoLEu3S0yhr
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Executes dropped EXE
-
Loads dropped DLL
-