General

  • Target

    7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8

  • Size

    18.6MB

  • Sample

    241029-y3sjbszrfn

  • MD5

    c660fd4addbfaa81fac0a1f5d39cd000

  • SHA1

    7d1aaa224037b1ade30bb951ee04989b73d71a81

  • SHA256

    7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8

  • SHA512

    a53d1608adb02d2b7ad7109490e1dce4b073cf622a291b52cea8794ba3c0296248fa87fb8305893cfb65d44f500afc7057375368eff2fd0a2e872a6420e8d5c9

  • SSDEEP

    98304:c+R1sVuWzOYBvDdXCxGSQjJQaoyqUIIdZicEMtECV:ckCzFvDdXCcSQLbqUISpEMW

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8

    • Size

      18.6MB

    • MD5

      c660fd4addbfaa81fac0a1f5d39cd000

    • SHA1

      7d1aaa224037b1ade30bb951ee04989b73d71a81

    • SHA256

      7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8

    • SHA512

      a53d1608adb02d2b7ad7109490e1dce4b073cf622a291b52cea8794ba3c0296248fa87fb8305893cfb65d44f500afc7057375368eff2fd0a2e872a6420e8d5c9

    • SSDEEP

      98304:c+R1sVuWzOYBvDdXCxGSQjJQaoyqUIIdZicEMtECV:ckCzFvDdXCcSQLbqUISpEMW

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks