asyncrat | fa37fb4035d2e946783605f105ddbc60accbe85035b99cd50c1add665c017c37 | Triage

Submit
Reports

Overview

overview

Static

static

1

cheat_load...__.bat

windows7-x64

3

cheat_load...__.bat

windows10-2004-x64

Sharing

General

Target

cheat_loader_v2.02___.bat
Size

3KB
Sample

240929-31dpls1cph
MD5

eea245644e31da14d04d9cd773894249
SHA1

838d855c89b7b9d4b84a8ff571b775dbf52a3fcb
SHA256

fa37fb4035d2e946783605f105ddbc60accbe85035b99cd50c1add665c017c37
SHA512

c86741059d06f349c4dcf089db5483d4bdaa10bdf728f3673e82167ff81a7495585d56b48faab6383f1d79aa02b202919a3a9c920f432f3b7f18595b679fb661

Score

10^/10

asyncrat xworm default discovery execution persistence privilege_escalation rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

cheat_loader_v2.02___.bat

Resource

win7-20240903-en

persistence privilege_escalation

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

cheat_loader_v2.02___.bat

Resource

win10v2004-20240802-en

asyncrat xworm default discovery execution persistence privilege_escalation rat trojan upx

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/XtM6NbiR:1135

Attributes

Install_directory
%AppData%
install_file
WindowsSecurityWrapper.exe
pastebin_url
https://pastebin.com/raw/XtM6NbiR

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

Mutex

gdgdgdgdggdawd

Attributes

delay
3
install
true
install_file
WindowsSmartScanner.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/vUf3YUgS

aes.plain

Targets

- Target
  
  cheat_loader_v2.02___.bat
- Size
  
  3KB
- MD5
  
  eea245644e31da14d04d9cd773894249
- SHA1
  
  838d855c89b7b9d4b84a8ff571b775dbf52a3fcb
- SHA256
  
  fa37fb4035d2e946783605f105ddbc60accbe85035b99cd50c1add665c017c37
- SHA512
  
  c86741059d06f349c4dcf089db5483d4bdaa10bdf728f3673e82167ff81a7495585d56b48faab6383f1d79aa02b202919a3a9c920f432f3b7f18595b679fb661
Score

10^/10

persistence privilege_escalation asyncrat xworm default discovery execution rat trojan upx
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

persistenceprivilege_escalation

behavioral2

asyncratxwormdefaultdiscoveryexecutionpersistenceprivilege_escalationrattrojanupx

© 2018-2024

Terms | Privacy