Overview

overview

10

Static

static

1

LHVWN_virus_src.bat

windows7-x64

5

LHVWN_virus_src.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LHVWN_virus_src.bat

  • Size

    680B

  • Sample

    241208-p5pqsaypan

  • MD5

    28a24f08a62dc5c8af6be5e921d4c5ad

  • SHA1

    97f70c14a8e2ba4da9d8f5d65961d7d998ebb637

  • SHA256

    c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

  • SHA512

    e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score
10/10
asyncratxenoratxwormcomppkgsrvdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

82.13.154.169

Mutex

09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost

Extracted

Family

asyncrat

Botnet

CompPkgSrv

C2

82.13.154.169:4444

Attributes
  • delay

    3

  • install

    true

  • install_file

    CompPkgSrv.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

82.13.154.169:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    CompPkgSup.exe

Targets

    • Target

      LHVWN_virus_src.bat

    • Size

      680B

    • MD5

      28a24f08a62dc5c8af6be5e921d4c5ad

    • SHA1

      97f70c14a8e2ba4da9d8f5d65961d7d998ebb637

    • SHA256

      c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

    • SHA512

      e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

    Score
    10/10
    executionasyncratxenoratxwormcomppkgsrvdiscoverypersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect XenoRat Payload

    • Detect Xworm Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xenorat family

      xenorat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks