Resubmissions

03-12-2024 08:17

241203-j6wb3asnfr 10

29-11-2024 00:44

241129-a3t56awqcx 10

General

  • Target

    58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210N.exe

  • Size

    372KB

  • Sample

    241203-j6wb3asnfr

  • MD5

    f9646131ff6c7b07e435791522b418b0

  • SHA1

    c0b1be54b2915cc9df1011836402e981a5815c92

  • SHA256

    58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210

  • SHA512

    44b54b19f35b3aca440eb09b8babdd3b22bc934145857b24a91b6fe65f1a6b2106a4a49266c55552135c63f8b8f85bc7a5e99d458cb277e2216ab2b20da089a5

  • SSDEEP

    3072:uD/0ZYthTLJRMB4IVGubl4m5plDzGuX7i2me4F8lpo6wB408ko/Z5hwy6q//kgrh:PYth1RiVGubCYfacu2tB3oB40zox4cf

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

178.215.224.142:4449

Mutex

ywldammnmlcvkfaatp

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

xworm7000.duckdns.org:7000

178.215.224.142:7000

Mutex

wDluQlkCVEcAclIo

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210N.exe

    • Size

      372KB

    • MD5

      f9646131ff6c7b07e435791522b418b0

    • SHA1

      c0b1be54b2915cc9df1011836402e981a5815c92

    • SHA256

      58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210

    • SHA512

      44b54b19f35b3aca440eb09b8babdd3b22bc934145857b24a91b6fe65f1a6b2106a4a49266c55552135c63f8b8f85bc7a5e99d458cb277e2216ab2b20da089a5

    • SSDEEP

      3072:uD/0ZYthTLJRMB4IVGubl4m5plDzGuX7i2me4F8lpo6wB408ko/Z5hwy6q//kgrh:PYth1RiVGubCYfacu2tB3oB40zox4cf

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Vjw0rm family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks