Overview

overview

10

Static

static

1

virus_src.bat

windows7-x64

8

virus_src.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    virus_src.bat

  • Size

    720B

  • Sample

    241208-p2schatpcy

  • MD5

    25cc17794b4a00de0db1dc2f14580af4

  • SHA1

    f119d7d9bc38af460a8da42c9dbc09faa77130b1

  • SHA256

    847d7d889d1d5dc33f7c24d82dccc71cb9032fd743e8a52364dc5e0a07a03e69

  • SHA512

    70b49b9b7f7798f3ae15dfe100bf19eaf734de4c92b18b75295b06e455d64aee16879432ccfb3d95c78cbe301600504cfe485ddde59745dae62d64dd014b83ab

Score
10/10
asyncratxenoratxwormcomppkgsrvdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

82.13.154.169

Mutex

09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost

Extracted

Family

asyncrat

Botnet

CompPkgSrv

C2

82.13.154.169:4444

Attributes
  • delay

    3

  • install

    true

  • install_file

    CompPkgSrv.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

82.13.154.169:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    CompPkgSup.exe

Targets

    • Target

      virus_src.bat

    • Size

      720B

    • MD5

      25cc17794b4a00de0db1dc2f14580af4

    • SHA1

      f119d7d9bc38af460a8da42c9dbc09faa77130b1

    • SHA256

      847d7d889d1d5dc33f7c24d82dccc71cb9032fd743e8a52364dc5e0a07a03e69

    • SHA512

      70b49b9b7f7798f3ae15dfe100bf19eaf734de4c92b18b75295b06e455d64aee16879432ccfb3d95c78cbe301600504cfe485ddde59745dae62d64dd014b83ab

    Score
    10/10
    executionasyncratxenoratxwormcomppkgsrvdiscoverypersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect XenoRat Payload

    • Detect Xworm Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks