asyncrat

Sharing

General

Target

OpenPorts (1).rar
Size

229.9MB
Sample

240913-x18l4avbjb
MD5

7626ffa3b3acec97260983592c98181e
SHA1

23e29402a3b7f9f0ec5622f9842fd4ba81deba42
SHA256

11aaf8e69584b151ba6630c78446ff2344888fdd80442ab32ce6c7a2e086bd2c
SHA512

1300f896c8ff72c332156cf61b0ea5f48fd69d7362ec8f4a38e16d9ec8c7b5a305df31748ce482b609a2644d35d0d67b58b721f06dd0ddd7b23d89201ec63c03
SSDEEP

6291456:S8FCzSoURHeB5idEbr4XlArJqwHljJatEwIYKwsrRYLdo:TFB3+BPr4XlArHatIRwweJo

Score

10^/10

Malware Config

Extracted

Family

xworm

127.0.0.1:3232

l838.ddns.net:3232

0x365c3e6EeF15a2938FC7267D5A3386c8e23aBc5F:123

Attributes

Install_directory
%ProgramData%
install_file
Windows Security Wrapper.exe

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

127.0.0.1:54984

l838.ddns.net:54984

Mutex

kswxiqghhjgkjqpqzz

Attributes

delay
3
install
true
install_file
Windows Service Wrapper.exe
install_folder
%programdata%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

127.0.0.1:1608

Mutex

604f8f8e-6001-41ac-bd3b-ab5444c68531

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-06-24T16:20:21.998686336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1608
default_group
Default
enable_debug_mode
false
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
604f8f8e-6001-41ac-bd3b-ab5444c68531
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  DUCSetup_v4_1_1.exe
- Size
  
  238KB
- MD5
  
  7b96d025509f1c5c068e47ebf625a0ca
- SHA1
  
  0c43a1d98beeeb880f4482395d66541801929f83
- SHA256
  
  266ff507ee98dc8b0785951a8179f4449aa83ac5ae92a1a45f62a879ec6e8f44
- SHA512
  
  297a6977b8d32acbb6ac459bd3a11f38a8461f60b10c19d85e859adef69c3cd1e7ab854875adc7e2d0909d35b9581af1f7941c3512c15567f6399d1341af1457
- SSDEEP
  
  3072:TgXdZt9P6D3XJc45pk5KNDj7Od+g6PeBVbEYJ7+mEm/EFSeHp7TAnKLR6Ls+CuIk:Te34uakUh7a6WP7+J1vAPz3IOFd58
Score

7^/10

discovery
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/Banner.dll
- Size
  
  4KB
- MD5
  
  0116a50101c4107a138a588d1e46fca5
- SHA1
  
  b781dce23e828cf2b97306661c7dad250a6aaf77
- SHA256
  
  ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b
- SHA512
  
  55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/NSISdl.dll
- Size
  
  14KB
- MD5
  
  a5f8399a743ab7f9c88c645c35b1ebb5
- SHA1
  
  168f3c158913b0367bf79fa413357fbe97018191
- SHA256
  
  dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
- SHA512
  
  824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
- SSDEEP
  
  192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  c10e04dd4ad4277d5adc951bb331c777
- SHA1
  
  b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
- SHA256
  
  e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
- SHA512
  
  853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
- SSDEEP
  
  96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  acc2b699edfea5bf5aae45aba3a41e96
- SHA1
  
  d2accf4d494e43ceb2cff69abe4dd17147d29cc2
- SHA256
  
  168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
- SHA512
  
  e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
- SSDEEP
  
  96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  DUC40.exe
- Size
  
  339KB
- MD5
  
  ccbb3c81469d426354994fdb58506451
- SHA1
  
  8c8d2b6440797de0eb190177defbcf8e209a889c
- SHA256
  
  aad09c161909a7d290a395d80c3cfd2aecd953b4e45a9ca017d460f036b68580
- SHA512
  
  dc16922e7ec583790d1399eccb8d19adb1f6d9193a502b5926e07fd968e47892622dc57c4762ab81bcac7bf29de448c4f73518cc0122373718b2435ce18a2ad3
- SSDEEP
  
  3072:xeZeMmQ6PZ/0JsYoA6XKp222ltZKpnFsRQqA844VUtZKCd27FIH3dpvxe0GBgqA:IsMmQ6PJa2tAFeZA844VUtAfEiA
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  ducapi.dll
- Size
  
  72KB
- MD5
  
  c57989f9774cd4932c7b231e0736b26a
- SHA1
  
  c8417026a4f9553a0a4146214b7d2815aa683df0
- SHA256
  
  92d3aa640da2dc72982645e3ee3f80571abff1d24e97f940ff39052ea5c189f9
- SHA512
  
  581ccfac11c10525ff110b104566d9dff68c8cd683605f8927948efc463537da63bec799cc17265c2413f975e298a9f08c908239fc4216fbcd89391b8e6a9535
- SSDEEP
  
  1536:rEXobml7XkoofW4oSBUcKBBNNONOfR4c/+Xab:rEXumEW4oH9B/NONwR4c/Bb
Score

1^/10
behavioral15 behavioral16
- Target
  
  portmapper-2.2.3.exe
- Size
  
  5.2MB
- MD5
  
  9f14a0573f96ce3c3374044e585f7eb0
- SHA1
  
  88247dac3c2a4e5a760c215436a99afe9ad5577f
- SHA256
  
  e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3
- SHA512
  
  f1e5af30c5c251a294998eb15cef22d22c6e30c900e08d86721ad3bfe400b86b8866c8ec66082014f3f3da2fb576a4cf35f1ff9e1f36d1dad26403fa96f9f91b
- SSDEEP
  
  98304:rqw3fQlyOEaEyr9QsYhzAkSuwnu0J74Ijb4eDaJo99AXvhdkfx5:rqw3fsVPYa7J7zjxae7iZdK
Score

10^/10

asyncrat nanocore xworm default defense_evasion discovery evasion execution keylogger persistence rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral17 behavioral18