Overview

overview

10

Static

static

3

sample.zip

windows7-x64

8

sample.zip

windows10-1703-x64

10

sample.zip

windows10-2004-x64

8

sample.zip

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.zip

  • Size

    42.8MB

  • Sample

    240926-q9tqza1amn

  • MD5

    7579c349d3f04d81d16020218b4b014e

  • SHA1

    7299091625d2af8508e6c3e07e236ee47ac4400a

  • SHA256

    0366ac31796c460c24e7d71469e86f4c7e9509f3b52f4c24921d19d7b5786f16

  • SHA512

    6e7a4f071e8c74686d18892768e8158d00fba5bebad9bd0947374b08b79b7b0fa87f756618ad80ba5728db71db42a556fad990066f9d87232c0c2e35d00e3e94

  • SSDEEP

    786432:oDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMN8:oDnXfHkIZcXM2TdZooxwnXWN8

Score
10/10
asyncratstealeriumxwormdefaultcollectiondiscoveryexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

101.99.92.203:3232

91.92.247.210:3232

45.66.231.150:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

101.99.92.203:8000

Mutex

Xyva8ZHyTHQcBno1

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

91.92.247.210:4449

Mutex

sarcofamdkdtq

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      sample.zip

    • Size

      42.8MB

    • MD5

      7579c349d3f04d81d16020218b4b014e

    • SHA1

      7299091625d2af8508e6c3e07e236ee47ac4400a

    • SHA256

      0366ac31796c460c24e7d71469e86f4c7e9509f3b52f4c24921d19d7b5786f16

    • SHA512

      6e7a4f071e8c74686d18892768e8158d00fba5bebad9bd0947374b08b79b7b0fa87f756618ad80ba5728db71db42a556fad990066f9d87232c0c2e35d00e3e94

    • SSDEEP

      786432:oDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMN8:oDnXfHkIZcXM2TdZooxwnXWN8

    Score
    10/10
    executionasyncratstealeriumxwormdefaultcollectiondiscoverypersistenceprivilege_escalationratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks