Overview

overview

10

Static

static

1

tost.bat

windows7-x64

8

tost.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tost.bat

  • Size

    23KB

  • Sample

    241107-vwkncsypcm

  • MD5

    c26f41f48d02002dec3ad4e5156bfdda

  • SHA1

    03abcb03be3d39da5e513f4f7056df179047eb2c

  • SHA256

    5153a4d8ee131d9edb35829e1326f08c19d718c572a9274eacb7430896ec5112

  • SHA512

    ed079f1e71aeaa49593c4dbdb3a916bc86daf5e0f2071772854e50d3e2d9690bc4957e4c65c09498bfa76aaa103aa99ab76fb893f2118e757ed8ecb4d1a3b3ba

  • SSDEEP

    384:gTYcpQyuPmhDGEhtKCiFl8sutSjJ7RWGFX8qQt4TdKtyCHIbRJGE2fl08bcOB3wO:gTYcpQyuPmhDGEhtKC1snbWGWdIKZHIQ

Score
10/10
asyncratstealeriumxwormdefaultcollectiondiscoveryexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

111.90.143.248:4449

Mutex

kqsjiymxwcmgkmn

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

111.90.143.248:3232

111.90.143.143:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

111.90.143.143:7000

Mutex

mVXOUHi2OrYslEh1

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      tost.bat

    • Size

      23KB

    • MD5

      c26f41f48d02002dec3ad4e5156bfdda

    • SHA1

      03abcb03be3d39da5e513f4f7056df179047eb2c

    • SHA256

      5153a4d8ee131d9edb35829e1326f08c19d718c572a9274eacb7430896ec5112

    • SHA512

      ed079f1e71aeaa49593c4dbdb3a916bc86daf5e0f2071772854e50d3e2d9690bc4957e4c65c09498bfa76aaa103aa99ab76fb893f2118e757ed8ecb4d1a3b3ba

    • SSDEEP

      384:gTYcpQyuPmhDGEhtKCiFl8sutSjJ7RWGFX8qQt4TdKtyCHIbRJGE2fl08bcOB3wO:gTYcpQyuPmhDGEhtKC1snbWGWdIKZHIQ

    Score
    10/10
    discoveryexecutionasyncratstealeriumxwormdefaultcollectionpersistenceprivilege_escalationratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Stealerium family

      stealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks