Overview

overview

10

Static

static

1

corn.bat

windows7-x64

8

corn.bat

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    corn.bat

  • Size

    25KB

  • Sample

    240925-mg9d6szgjm

  • MD5

    2c82d131bec739831e83aee1b7e39ea3

  • SHA1

    a34c4733bc21f390751f8271f0a300112f523b90

  • SHA256

    794e2e7342934bdd01396b10677eec9ec01fc9031b35be49e4e2f5a9ceee9adb

  • SHA512

    07b2b03cb58cdff99a9890d6f4d28c9d24cf625c5bd3075934b63edb914db89bae02f868deafd50d8053da153e911689c1caebb8efc35e83c014308d2ee17166

  • SSDEEP

    768:gTYcpQyuPmhDGEhtKCd6BgL/3uq5soVWn20PRv97mrPfl:gTYcpQyuPmhDGEhtKCdlL/HhVKl1Sr3l

Score
10/10
asyncratstealeriumxwormdefaultcollectiondiscoveryexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

101.99.92.203:3232

91.92.247.210:3232

45.66.231.150:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

101.99.92.203:8000

Mutex

Xyva8ZHyTHQcBno1

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

91.92.247.210:4449

Mutex

sarcofamdkdtq

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      corn.bat

    • Size

      25KB

    • MD5

      2c82d131bec739831e83aee1b7e39ea3

    • SHA1

      a34c4733bc21f390751f8271f0a300112f523b90

    • SHA256

      794e2e7342934bdd01396b10677eec9ec01fc9031b35be49e4e2f5a9ceee9adb

    • SHA512

      07b2b03cb58cdff99a9890d6f4d28c9d24cf625c5bd3075934b63edb914db89bae02f868deafd50d8053da153e911689c1caebb8efc35e83c014308d2ee17166

    • SSDEEP

      768:gTYcpQyuPmhDGEhtKCd6BgL/3uq5soVWn20PRv97mrPfl:gTYcpQyuPmhDGEhtKCdlL/HhVKl1Sr3l

    Score
    10/10
    executionasyncratstealeriumxwormdefaultcollectiondiscoverypersistenceprivilege_escalationratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks