asyncrat | 3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

Sharing

General

Target

3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354
Size

6.6MB
Sample

241018-vxavjs1bnm
MD5

ed24b048880a8a2a3b7ac4911a7e81df
SHA1

80f631b5481ec48729c3a738dc7ab003b4cd61c1
SHA256

3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354
SHA512

fab270e82961ecf6c1db9a53eb0dc81b0a3d6251b39421486dfa6e6f20826577c2db0624444de39f8a91465fb5ab1530e5530480cdc9b5b33b8ab260350bfe2f
SSDEEP

196608:Xx3sgZH4wNNHmaqTE6kTcSzCkNBcjx3sgZdJ:h8CnDm7HORBcF8CdJ

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

3.0

topics-junior.at.ply.gg:45283

Mutex

7K8kkC78j4IfMAr6

Attributes

Install_directory
%AppData%
install_file
wininit.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Test

scambaiting2022.ddns.net:25565

192.168.1.3:25565

Mutex

41845399-4858-4791-bd1c-b2526f38e8cc

Attributes

encryption_key
77693888CF811B44AE75658ADBCA8897192A96FF
install_name
update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chrome Update
subdirectory
Chrome

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://54.208.157.120:80/Night_uac/amsi.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/uac.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/command.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/down.ps1

Extracted

Language

ps1

Source

URLs

exe.dropper

http://54.208.157.120:80/Night_uac/Uac_main.ps1

exe.dropper

http://54.208.157.120:80/Night_uac/payloads/9usd7yge.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://54.208.157.120:80/winlogin.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

16.ip.gl.ply.gg:56795

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:10001

127.0.0.1:9147

windowsddns.duckdns.org:6606

windowsddns.duckdns.org:7707

windowsddns.duckdns.org:8808

windowsddns.duckdns.org:10001

windowsddns.duckdns.org:9147

country-wellness.gl.at.ply.gg:6606

country-wellness.gl.at.ply.gg:7707

country-wellness.gl.at.ply.gg:8808

country-wellness.gl.at.ply.gg:10001

country-wellness.gl.at.ply.gg:9147

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Days Out.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

scammer

topics-junior.at.ply.gg:45283

Mutex

87fbb7d05011dd3c6b564f136007bf19

Attributes

reg_key
87fbb7d05011dd3c6b564f136007bf19
splitter
|'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

My VM

myownvm.anondns.net:13832

37.120.141.165:13832

server1.trustedvpnservices.com:13832

higradevpn.xyz:13832

Mutex

071e2576-e94a-492e-8303-baae1cb4641c

Attributes

encryption_key
402F6F1B2F63357285F585A5880FBC2C0F468F55
install_name
ShellExperienceHost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Shell Experience Host
subdirectory
drivers

Extracted

Family

orcus

Botnet

Scammers

44.203.122.41:1604

Mutex

b040a0c11d1a4273bc5428c0c9cb2c5b

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\Orcus\explorer.exe
reconnect_delay
9000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\AnyDex.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://54.208.157.120:80/scambtr_uac/amsi.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/uac.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/command.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/down.ps1

Extracted

Language

ps1

Source

URLs

exe.dropper

http://54.208.157.120:80/scambtr_uac/Uac_main.ps1

exe.dropper

http://54.208.157.120:80/scambtr_uac/payloads/fm1ri21p.ps1

Extracted

Family

xworm

Version

3.1

miles-c.at.ply.gg:49826

Mutex

qzx0AtyVDsrQphps

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

180.ip.ply.gg:48892

Mutex

QWgaicbZP6H1puz7

Attributes

install_file
USB.exe

aes.plain

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://44.203.122.41:80/Obexe.ps1

Targets

- Target
  
  AnyDesk.exe
- Size
  
  2.9MB
- MD5
  
  7cd339f9be1417421acf8790c9738922
- SHA1
  
  c25eff4d9d2d5b55f1cc4ffc623354004565e8b9
- SHA256
  
  ec0ec7ce8ef71cb7e7d1c2418c47ad94cea8833db8578ccdf94271f8efed38d3
- SHA512
  
  f118ea660a51ff38abc20a9ad16f6505cf8a862df1b564829d9af06710e0c4b91d0abbedc4b852696acf0e807a25138d82c2fc518cd54c32dba92f513467b411
- SSDEEP
  
  49152:vAOdl4d7NHNUb75uEEbOyYWHxL9X5zT/dPUAUA/JH:El8DFWHTN
Score

1^/10
behavioral1 behavioral2
- Target
  
  Archevod_XWorm.exe
- Size
  
  36KB
- MD5
  
  95b3c12592ed7de85aeb86fe9c54e23a
- SHA1
  
  4a6f7b46d077ad0e1dabea9f30efa95c52f79f3d
- SHA256
  
  50a3d3508c4b826b4e36678dd91b374c339b0c57a89a31cd3e9f5a4441772dc0
- SHA512
  
  7a1cd098641bbada8ad6015dfa6cb922ed425632eedc9c7b9ef2774b9c81ff74083d6d8549bb708f39f3dae479b53e46eddb068ed457883cd803ce593e50b08a
- SSDEEP
  
  768:tRmCfIsRkrkdeoQR/auzH9R1acc/FPr9lqO9h52ZL:tRmC8r+uL/EcKFz9lqO9yZL
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  ClickMe.lnk.download
- Size
  
  1KB
- MD5
  
  08b5b3505abb428c860598363761f2e8
- SHA1
  
  2344992168414c023bd6851d63ea62520770365a
- SHA256
  
  3ba3c169988a8bc600b58e2ca578e36b48de210bbf058f61b3e7525af01c982d
- SHA512
  
  1b547c089197aba0dce835de875dbdb2c69ed2e9c2199f10ed767b642935dc1c3f50b1ef0521924459d09942fceac5478cf5a0471f94b7bc06c18da9149a2c4c
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  Cmstp.bat
- Size
  
  264B
- MD5
  
  31254e5f0a767dba0d013d83d8949be8
- SHA1
  
  a5f59a60307eb142d30c3ff14b9b916dce8b3733
- SHA256
  
  1521435d9d3fb9dc5b08494130f2118b073a6bc6dc233e3ec404225a57b9c4b3
- SHA512
  
  c97829934e12efe7d8b78c177666ce1fe30c6a77e6617c06f8a0c23cd4a59a1ec625ee3edc72fe512ce79b56e4f3be716be6bd5ab4089b4ccdbb48b5b56a12d1
Score

10^/10

execution
- Blocklisted process makes network request
behavioral7 behavioral8
- Target
  
  GoogleChrome.exe
- Size
  
  690KB
- MD5
  
  5818f4fecb0dcc52227035dc0d88830b
- SHA1
  
  ccda411e1e7c643308f8c643b384ec979c185787
- SHA256
  
  1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894
- SHA512
  
  b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f
- SSDEEP
  
  12288:jTEgdfY8l6hdV6l4et8klwIdctVdrcdirMBgJS9UOIK3:8UwBD6lbt8ufcVrcdiMCJSuOIK3
Score

10^/10

quasar test spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
behavioral10 behavioral9
- Target
  
  Hidden_Undected_CMSTP-Reflection.ps1.bak
- Size
  
  13KB
- MD5
  
  39d26ba464405a52eec059c38fde3742
- SHA1
  
  b8e15337cbdfe46d6c712bf45a381b5a97d30db1
- SHA256
  
  5812fe6944f400d00f4ab4b4189779c3caddc419c3346842e30c07d238f4d186
- SHA512
  
  7fb159fbedc68cd0a353534b30cca7f0f6a95f327c69d2a4cc1b7d4c4b591ea893451b18f188d5739873a64c64bd314546a20bb272d76931cee1937a6104e337
- SSDEEP
  
  384:lc2055WPIbP1ermV2qvkXLuwYiou2tc428QuB:lc2eWgP1UIEuwhom4tQW
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops file in System32 directory
behavioral11 behavioral12
- Target
  
  Hidden_magic.vbs
- Size
  
  122B
- MD5
  
  3e168164fe0f6469cb14efd628bb15de
- SHA1
  
  d1319d3c0264ee65258982090a8b8e6ea5832169
- SHA256
  
  acbd157e5546a03b6a1695974294b99f751a4a9ef21dcfc9794da26ee1623a23
- SHA512
  
  085d64420abf67fbeb394fb229e24fdd0be9139e320d63e9d249275013fee1a352499c985629800f694a4053a41499cc30d3913c1a783c3757804ff81de78439
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  Manage.bat
- Size
  
  289B
- MD5
  
  3b001f8d88211bf2f64a1fbd7cfc22a4
- SHA1
  
  f27eec327bc4689848fcda18bf88402d649143c2
- SHA256
  
  303666e8136c8f5d1471f503dfa7ba32e5ac303f3b758a8af6a80cc7fdd61253
- SHA512
  
  2a94b1311fad0a408773ec30851f1a68d525b0db9a185865c1faf209eb1e6d8f8768ce35051e245b17e468714e645c2553898a833090e1ccb56db56e9bf2c4c3
Score

1^/10
behavioral15 behavioral16
- Target
  
  Night_uac/Uac_main.ps1
- Size
  
  895B
- MD5
  
  550a412ff00f92f90795bec6a8c8286e
- SHA1
  
  1929e24de6fd883b4f5c191c317b272001a43973
- SHA256
  
  af1c04051180e61745b676d36bf583a9e95995a810bba71c26d6366fc4eedb6e
- SHA512
  
  7d29881c6f7f2be8a48bba0b7e7e755a02ae2c648320a9daedb68591f4995323c495d9c5bc4cbb79ad8321d4fdf55774d33d7eaaf36218336576e729ed3e7ade
Score

8^/10

execution
- Blocklisted process makes network request
behavioral17 behavioral18
- Target
  
  Night_uac/Uac_stage.ps1
- Size
  
  435B
- MD5
  
  9c0b29cea5533806aee83f5c49fcf6cd
- SHA1
  
  659155db6497a1d5c1e6fb2dc40b16f63bf0e1db
- SHA256
  
  e442ae7d9792416c46c134c8587ac7bfd947a6062c4abe9b700f83a5274b72cc
- SHA512
  
  72e6b4b55a4c16c12408a46b668073d0b09d59a0d4bc0941a33dc6859af8f8358df224f07d7fd2de780945c503c46a7f5cf98e957e4031884e9d0ec497463def
Score

8^/10

execution
- Blocklisted process makes network request
behavioral19 behavioral20
- Target
  
  Night_uac/Uac_stage_gen.py
- Size
  
  1KB
- MD5
  
  a68f17114a988b00f30a0eed296733ac
- SHA1
  
  22c4aa93ce3fc2a191f32359d6fe8c2ffe79dafb
- SHA256
  
  4d505f1f2b73cf7e857164dfdf1d18a4488f3b593a0ea9a7d051e9d46c15ddaf
- SHA512
  
  6d1a93c6f0389972477b6841d2e830874fbf45c1dbc446bbdfc884e0c6f69e0cb1dfbb23d0a0fa583d7308eb8cc83199b95eadb77fd84fd5a16db85732d7c96b
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Night_uac/amsi.ps1
- Size
  
  1KB
- MD5
  
  ab586dd0a3d8dc473e8a12a5a4c6a484
- SHA1
  
  247455520a6b3706355e6afc4815fc0fbec331c4
- SHA256
  
  e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3
- SHA512
  
  898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Night_uac/amsi.ps1.bak
- Size
  
  1KB
- MD5
  
  ce55b86a579ff526c25fdfeb398fa285
- SHA1
  
  134fb6ec72f0123f5111333ca6d4c4a9c125cf67
- SHA256
  
  dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d
- SHA512
  
  ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Night_uac/command.ps1
- Size
  
  131B
- MD5
  
  5fe24b6b15d15df6b534a5815b6f0c9d
- SHA1
  
  b13c4de3c056ab8f96664d66fc2ad3b63278adfe
- SHA256
  
  e7c87640a365548db623dbbf029aa30b57f6d57e3040695b997d8dc073a35cf8
- SHA512
  
  ec354dc51d3a6885e0b32ed405becba092581a85d8060a8a901dbe1b41ff1ff55d2ae272a7651e8ef996acc7fd8e643bbec29b6d5d94ee00ab0a229c72457445
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  Night_uac/down.ps1
- Size
  
  278B
- MD5
  
  de07ecbd1be6e54daa4e8eaf6303b157
- SHA1
  
  d5865ba74f03ccf7c03e27d1399e6b46e85f895e
- SHA256
  
  ab12c751a1da5db32da6abb02fb8b24a873866b65ec45905db842877c7ff5c8d
- SHA512
  
  e8bc8f9f272c3ba792779292dd5cc4f64f7092e63de5d58ebe4e13a755000ea2ec195eb7b20c973865728aa0d9bf198e6bf68118533de2f6664185b5e07501da
Score

8^/10

execution
- Blocklisted process makes network request
- Drops startup file
behavioral29 behavioral30
- Target
  
  Night_uac/payloads/0malm7gp.ps1
- Size
  
  44B
- MD5
  
  2d663bdc95565ef04c1d3db0e4bde2f0
- SHA1
  
  1c1aaa0b478be1cd6732825d73f90168fe7c5790
- SHA256
  
  80d6bdb1d89d5c6b81f4a09dc469cc5f0a094602ce2241e0d60fd714a7fc9327
- SHA512
  
  75de1067200dde50a559db01da8f2b4ea22735447ce4a85dae76703a4401213edb6921960aff1fd8de5a8dd86b5d0c071f43ba49592b0993c00fa6bc7980e152
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Xworm Payload

Xworm

Drops startup file

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Blocklisted process makes network request

Quasar RAT

Quasar payload

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Checks computer location settings

Blocklisted process makes network request

Blocklisted process makes network request

Blocklisted process makes network request

Drops startup file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32