Overview

overview

10

Static

static

3

58cea87c2b...0N.exe

windows7-x64

10

58cea87c2b...0N.exe

windows10-2004-x64

10

Resubmissions

03-12-2024 08:17

241203-j6wb3asnfr 10

29-11-2024 00:44

241129-a3t56awqcx 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210N.exe

  • Size

    372KB

  • MD5

    f9646131ff6c7b07e435791522b418b0

  • SHA1

    c0b1be54b2915cc9df1011836402e981a5815c92

  • SHA256

    58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210

  • SHA512

    44b54b19f35b3aca440eb09b8babdd3b22bc934145857b24a91b6fe65f1a6b2106a4a49266c55552135c63f8b8f85bc7a5e99d458cb277e2216ab2b20da089a5

  • SSDEEP

    3072:uD/0ZYthTLJRMB4IVGubl4m5plDzGuX7i2me4F8lpo6wB408ko/Z5hwy6q//kgrh:PYth1RiVGubCYfacu2tB3oB40zox4cf

Score
10/10
asyncratvjw0rmxwormdefaultexecutionpersistencerattrojanworm

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

178.215.224.142:4449

Mutex

ywldammnmlcvkfaatp

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

xworm7000.duckdns.org:7000

178.215.224.142:7000
Mutex

wDluQlkCVEcAclIo

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 2 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Vjw0rm family
    vjw0rm
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210N.exe
    "C:\Users\Admin\AppData\Local\Temp\58cea87c2baf7227f19f5895064efcc7a410cc64f809648d79aabe4a1e7ea210N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\Under Faxuler.exe
      "C:\Users\Admin\AppData\Local\Temp\Under Faxuler.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2772
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2684
      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2752
      • C:\Users\Admin\AppData\Local\Temp\0wazE.exe
        "C:\Users\Admin\AppData\Local\Temp\0wazE.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
    • C:\Users\Admin\AppData\Local\Temp\0wazE.exe
      "C:\Users\Admin\AppData\Local\Temp\0wazE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1060 -s 600
        3⤵
          PID:1680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0wazE.exe
      Filesize

      105KB

      MD5

      e264fe3d12c6e1a0f1d7e9ed2261e92d

      SHA1

      7a0e223c6ee4da81b80f49cbe6a602b2b354b1ab

      SHA256

      1a4bb157823139eff9b0bedce2a9452759ecc47801785743fb9667647347c4d5

      SHA512

      8a7ff7c1cf941aa10641650056f71da6974984c7383dade8683d7fd24e1ebd078da76dcc622238594fd53295205753c59364a64eaa67f3a2ea8734e679533209

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      Filesize

      74KB

      MD5

      0443ba1255e5419d79b3ed3382ec00ff

      SHA1

      f8dcda47375189f3164fc8419f84fa92674e4710

      SHA256

      9c238fa3c048bab6d3e72f171d2b3994ac1686477a4febdcb2fa7a8fa987c6f6

      SHA512

      d10064412a09576ffc9b5e2d22a0ca97a65f70f19e80c3494c2c9e422a36169e13ac72a9d948308d3aa3ccedb03998996611963de71eeca05a0607beaa199374

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Under Faxuler.exe
      Filesize

      687KB

      MD5

      7beac06d9c9dc95b8dacd72d6ea87597

      SHA1

      ccc9ef68f1781a7c5d2c9cc4ac57198698ec418e

      SHA256

      be0986c1154533a6fa8ae0eb77c0f6c95ff5a153dd096b408888816f71fef835

      SHA512

      04ff58b844a687aadb5f4243ef5431619b02036abb29768d77ca309039adb1505ff62853be6bae4c238e55a9645a916912d85445147652ff0cd7b3d35e80798f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      Filesize

      38KB

      MD5

      789f782e9e3170fdbc5f69ad90f1fd54

      SHA1

      3e679929bc157c5a3f590ad15a9218c99fc2c1d3

      SHA256

      563760d0e6a3933465fe1021323e33d82e16f91a7cd71abd3afae862af2ad338

      SHA512

      5336464c17e4aa31b488f56025da479763c9292bd5fb354512d02c937c577494303fd0fee325ef25333f96839889f51bfbf4db0f98b42a22ee30613d96baf152

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\info.js
      Filesize

      3KB

      MD5

      c9f85ebe8ae38f1bf04be9d4ebe82219

      SHA1

      c72eeed1d5814247196b0c9935f6fa86c010e4c6

      SHA256

      c0157ee7368a626b38657229ddd1e58d058e571fc83977c26a2f511c15197e37

      SHA512

      5ba0756ac069a4c1b5d6d1fe47a20916494bbbd076dbce05d7eae6f17330a350b00903e4f7ffdb8b98ad3aa96e7b66913bef3b0c4cfc43a8219aa93613948ae8

      Download Submit

    • memory/1060-13-0x00000000012E0000-0x0000000001300000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1668-16-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1668-15-0x0000000000250000-0x0000000000296000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1668-7-0x00000000003D0000-0x0000000000482000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1668-35-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-0-0x000007FEF5663000-0x000007FEF5664000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2492-14-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-1-0x0000000000A40000-0x0000000000AA2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2492-37-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2684-31-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2752-32-0x0000000000B80000-0x0000000000B90000-memory.dmp

      Filesize

      64KB

      Download