asyncrat

General

Target

27112024_0154_new.bat
Size

3KB
Sample

241127-cbkhraxlgk
MD5

6fc5138d9a459120a712b12ffd55ef44
SHA1

7ecb2535e52971cdde63a30fa2699d0d31de7af4
SHA256

25db2614bacd5fab235fae0dcf994833603604ed37173152c47f288733fa8418
SHA512

bc9462054d421efe81ab605d824cafcb603906b9523dc0bc16629a5d85ad96f81e738fac07a602b5ff46653a57e9571b6e5c257de9ca615a0b7c854f7738a497

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

ghanarchydn.duckdns.org:7878

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

pdhasync.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ksjvenom.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

jkswrm3.duckdns.org:8895

novxrw9402.duckdns.org:9402

Mutex

SilOfspMzdDQaw36

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

C2

jkwrm5.duckdns.org:8896

Mutex

neSV4A0jHthIPf8y

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  27112024_0154_new.bat
- Size
  
  3KB
- MD5
  
  6fc5138d9a459120a712b12ffd55ef44
- SHA1
  
  7ecb2535e52971cdde63a30fa2699d0d31de7af4
- SHA256
  
  25db2614bacd5fab235fae0dcf994833603604ed37173152c47f288733fa8418
- SHA512
  
  bc9462054d421efe81ab605d824cafcb603906b9523dc0bc16629a5d85ad96f81e738fac07a602b5ff46653a57e9571b6e5c257de9ca615a0b7c854f7738a497
Score

10^/10

discovery execution asyncrat xworm default venom clients rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Asyncrat family

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Xworm family

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2