General
-
Target
NetworkEX.exe
-
Size
795KB
-
Sample
241109-p8q31stnhz
-
MD5
a65e5a25060a4971f569d663fefb2f9a
-
SHA1
e2bd4e3c23a71280e47d87c001a909a5b927221c
-
SHA256
2d56cb1313e3bddad715567f05b15d31059ba9f72346cbc38064d5293f48c8c6
-
SHA512
0c2598820b49392d87b32e95f4a22342be1ae8f09b28c2a6ea098c954109b1e62e3ddab4fb314f6c61326fa1d891574e030ce3060faf85ce01f9fba943d3e180
-
SSDEEP
24576:hBCHRbaHtJxyMadpRlV4YrzA74DXa6JIK:CHRbatHyfdHlV4aW4DXa6JI
Malware Config
Extracted
xworm
5.0
-
Install_directory
%AppData%
-
install_file
NetworkEX.exe
-
pastebin_url
https://pastebin.com/raw/jGuGV3jT
-
telegram
https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
proxy on top
gdfgvsdfdasfkjasdkjaske9831943ioqwkd
-
delay
1
-
install
true
-
install_file
NetworkEX.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/jGuGV3jT
Targets
-
-
Target
NetworkEX.exe
-
Size
795KB
-
MD5
a65e5a25060a4971f569d663fefb2f9a
-
SHA1
e2bd4e3c23a71280e47d87c001a909a5b927221c
-
SHA256
2d56cb1313e3bddad715567f05b15d31059ba9f72346cbc38064d5293f48c8c6
-
SHA512
0c2598820b49392d87b32e95f4a22342be1ae8f09b28c2a6ea098c954109b1e62e3ddab4fb314f6c61326fa1d891574e030ce3060faf85ce01f9fba943d3e180
-
SSDEEP
24576:hBCHRbaHtJxyMadpRlV4YrzA74DXa6JIK:CHRbatHyfdHlV4aW4DXa6JI
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1