asyncrat

General

Target

01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N
Size

1.2MB
Sample

241008-z3tl3a1dqg
MD5

46feda17e80f3d49da421376b8ed69f0
SHA1

7f07a79d769261a5d51d5d74d878b2dc231eb6d2
SHA256

01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5
SHA512

d21cf60bfba3424895946180001e43e052ce028bb018950853205e0d6808a3c967de94bd23eb1b2a75440544404822a8569aab29cd776146965a8aacb7b77e6a
SSDEEP

12288:VNcWyda1DbJ0No0RJTTlTTJMtB6eSRV5txtIMzJTTlTTruAN6DbhQnNmWEOwoU8L:zcx4DEoSMKeYKMqnenNmWbjU8CcXjFg

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

159.65.24.61:7812

Mutex

ApBO5aKkoFf776MU

Attributes

Install_directory
%AppData%
install_file
Windows Defender Service.exe
telegram
https://api.telegram.org/bot7308504158:AAGvjg5ZWkkItSzfmQZs_qu73xKZ_gWVkJI/sendMessage?chat_id=6291749148

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

185.252.232.158:7812

64.23.232.116:7812

Mutex

vsvf

Attributes

delay
1
install
true
install_file
Windows Security Health Service.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5N
- Size
  
  1.2MB
- MD5
  
  46feda17e80f3d49da421376b8ed69f0
- SHA1
  
  7f07a79d769261a5d51d5d74d878b2dc231eb6d2
- SHA256
  
  01f20bc6aeea3f99b634c203f16d3eb6298ed184c824cffdd16895385922bde5
- SHA512
  
  d21cf60bfba3424895946180001e43e052ce028bb018950853205e0d6808a3c967de94bd23eb1b2a75440544404822a8569aab29cd776146965a8aacb7b77e6a
- SSDEEP
  
  12288:VNcWyda1DbJ0No0RJTTlTTJMtB6eSRV5txtIMzJTTlTTruAN6DbhQnNmWEOwoU8L:zcx4DEoSMKeYKMqnenNmWbjU8CcXjFg
Score

10^/10

asyncrat stormkitty xworm default discovery persistence privilege_escalation rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- VenomRAT
  Detects VenomRAT.
  rat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2