asyncrat | eb0f82f6f7cae84885ef1c829836a368615045598db243904bfbd53d976e686d | Triage

Sharing

General

Target

germ.bat
Size

44KB
Sample

241202-t1htwsskc1
MD5

cdbebe5916a327e5cb724137f5fa439d
SHA1

7595a9c2978344b9be73c9478c1d6bac128bf0a3
SHA256

eb0f82f6f7cae84885ef1c829836a368615045598db243904bfbd53d976e686d
SHA512

6ae8f6c3fd0288ac1844e1cd84272220e3b9fa082dba0a27294ff83961f7a71e8b1924f46cc758bf3273d5c80862c451c6951500546e4827be0ed5cac67adbe7
SSDEEP

768:fkRLJpCVvO1FA++aIWoECcej7NuIEEv8MYW+ANdZbQwex1LIGbtmCFQy5sZ72fne:tNO1FA++aeECf3A9M

Score

10^/10

asyncrat xworm default discovery execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

111.90.143.248:4449

Mutex

kqsjiymxwcmgkmn

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

111.90.143.248:3232

111.90.143.143:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

aes.plain

Extracted

Family

xworm

Version

5.0

C2

111.90.143.143:7000

Mutex

mVXOUHi2OrYslEh1

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  germ.bat
- Size
  
  44KB
- MD5
  
  cdbebe5916a327e5cb724137f5fa439d
- SHA1
  
  7595a9c2978344b9be73c9478c1d6bac128bf0a3
- SHA256
  
  eb0f82f6f7cae84885ef1c829836a368615045598db243904bfbd53d976e686d
- SHA512
  
  6ae8f6c3fd0288ac1844e1cd84272220e3b9fa082dba0a27294ff83961f7a71e8b1924f46cc758bf3273d5c80862c451c6951500546e4827be0ed5cac67adbe7
- SSDEEP
  
  768:fkRLJpCVvO1FA++aIWoECcej7NuIEEv8MYW+ANdZbQwex1LIGbtmCFQy5sZ72fne:tNO1FA++aeECf3A9M
Score

10^/10

discovery execution asyncrat xworm default rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

asyncratxwormdefaultdiscoveryexecutionrattrojan