General

  • Target

    Wave2.9a.exe

  • Size

    6.8MB

  • Sample

    241030-gk9lfsypfk

  • MD5

    1be3526aebc5773c0c37f3d5d472a6d8

  • SHA1

    034a50185e844bf1d0cb576e52469b978f6ca325

  • SHA256

    13bc247107fa0dc495b4687595e39f7a2ca05b4d6b032621d200816f6345b1bc

  • SHA512

    da922cd35cfad2470fb290bfa58686e5240e0f8b3249c958b88c423aae9adee77a46b269552aa20a3a54256db2c9b683824f469bd880031ed51bfcaa711562c9

  • SSDEEP

    196608:uVdfd++7bBDKYrzijk4y0UPOJevpa9iuYHY:6PbBW6ijk4r2giu

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

restaurant-montreal.gl.at.ply.gg:38813

Attributes
  • delay

    1

  • install

    true

  • install_file

    bloxstrap.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

xworm

C2

methods-availability.gl.at.ply.gg:20557

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Updater.exe

Targets

    • Target

      Wave2.9a.exe

    • Size

      6.8MB

    • MD5

      1be3526aebc5773c0c37f3d5d472a6d8

    • SHA1

      034a50185e844bf1d0cb576e52469b978f6ca325

    • SHA256

      13bc247107fa0dc495b4687595e39f7a2ca05b4d6b032621d200816f6345b1bc

    • SHA512

      da922cd35cfad2470fb290bfa58686e5240e0f8b3249c958b88c423aae9adee77a46b269552aa20a3a54256db2c9b683824f469bd880031ed51bfcaa711562c9

    • SSDEEP

      196608:uVdfd++7bBDKYrzijk4y0UPOJevpa9iuYHY:6PbBW6ijk4r2giu

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks