asyncrat

General

Target

06112024_0119_new.bat
Size

44KB
Sample

241106-bpr93ssdke
MD5

0a8189409a127612b858f940e3410212
SHA1

44e4fd543179b18b9565c6ce4145ff61ab75e7f0
SHA256

6ef23d5f69695cd8c9381e416928ca10e33a0b927c451399ab439eb64007a5ec
SHA512

e4af985ebe31d0beae17999c893c7ad6824684caf863439f676a2dae9b2a6da74eddb41ca58b54aade9fb5ffabe93bd1a2db6ac21fe87f94b5d66c0a354b677d
SSDEEP

768:gTYcpQyuPmhDGEhtKC+5Vcc8xJWWAF/U61RPMrQqMgrrLFAvzUk+imrt0wLm2PoL:gTYcpQyuPmhDGEhtKC2Vc93WWApUkPMy

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

ghanarchydn.duckdns.org:7878

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

pdhasync.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ksjvenom.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

jkswrm3.duckdns.org:8895

xroct9402.duckdns.org:9402

Mutex

SilOfspMzdDQaw36

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

C2

jkwrm5.duckdns.org:8896

Mutex

neSV4A0jHthIPf8y

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  06112024_0119_new.bat
- Size
  
  44KB
- MD5
  
  0a8189409a127612b858f940e3410212
- SHA1
  
  44e4fd543179b18b9565c6ce4145ff61ab75e7f0
- SHA256
  
  6ef23d5f69695cd8c9381e416928ca10e33a0b927c451399ab439eb64007a5ec
- SHA512
  
  e4af985ebe31d0beae17999c893c7ad6824684caf863439f676a2dae9b2a6da74eddb41ca58b54aade9fb5ffabe93bd1a2db6ac21fe87f94b5d66c0a354b677d
- SSDEEP
  
  768:gTYcpQyuPmhDGEhtKC+5Vcc8xJWWAF/U61RPMrQqMgrrLFAvzUk+imrt0wLm2PoL:gTYcpQyuPmhDGEhtKC2Vc93WWApUkPMy
Score

10^/10

discovery execution asyncrat xworm default venom clients rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Asyncrat family

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Xworm family

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2