asyncrat

General

Target

corn.bat
Size

44KB
Sample

240930-t7bddsvfmp
MD5

e7a2eb0f8ad72bceec84b48c85cebbef
SHA1

789f12e6755ba3e5995169f1ad575185360f4387
SHA256

23474c7aca0d40d8920ba6f5b0ad5646f8d04075976ab3a53837dbb19638766f
SHA512

aa66289e3b41c5dc7c9b9a03eb96a2dbd6a33a408af0136afeaec41759a4da782031098954091d76d39bbd67b574a0c590fdb774258d30abc4eb07ce337cd1b4
SSDEEP

192:ckKne+fzSOWATUVF+qP7Hg1OA93vOOefDU4x4qL3JEgA9tS/Le2MGmHUQjw:cku1WATOF+qP7g1j93vp34xp1AGP20Qw

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

101.99.92.203:3232

91.92.247.210:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

91.92.247.210:4449

Mutex

sarcofamdkdtq

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

101.99.92.203:7000

Mutex

j5QcRri4Mh9CWUxn

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  corn.bat
- Size
  
  44KB
- MD5
  
  e7a2eb0f8ad72bceec84b48c85cebbef
- SHA1
  
  789f12e6755ba3e5995169f1ad575185360f4387
- SHA256
  
  23474c7aca0d40d8920ba6f5b0ad5646f8d04075976ab3a53837dbb19638766f
- SHA512
  
  aa66289e3b41c5dc7c9b9a03eb96a2dbd6a33a408af0136afeaec41759a4da782031098954091d76d39bbd67b574a0c590fdb774258d30abc4eb07ce337cd1b4
- SSDEEP
  
  192:ckKne+fzSOWATUVF+qP7Hg1OA93vOOefDU4x4qL3JEgA9tS/Le2MGmHUQjw:cku1WATOF+qP7g1j93vp34xp1AGP20Qw
Score

10^/10

execution asyncrat stealerium xworm default rat stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Detect Xworm Payload

Stealerium

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2