asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

wow.exe
Size

14.8MB
Sample

241217-y5c7esxrdj
MD5

b2c17e4aaa1ab07e2be2c6e08120c7fe
SHA1

67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
SHA256

d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
SHA512

5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223
SSDEEP

393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://194.38.23.2

Extracted

Family

xworm

127.0.0.1:48990

147.185.221.22:48990

Attributes

Install_directory
%Userprofile%
install_file
svchostt.exe

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

14.243.221.170:3322

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027

Mutex

ynBzTukwLg8N

Attributes

delay
3
install
false
install_file
Clean.bat
install_folder
%Temp%

aes.plain

Extracted

Family

xworm

Version

5.0

lohoainam2008-36048.portmap.io:36048

Attributes

Install_directory
%AppData%
install_file
Setup.exe
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

103.125.189.155:8848

Mutex

DcRatMutex_6565

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  wow.exe
- Size
  
  14.8MB
- MD5
  
  b2c17e4aaa1ab07e2be2c6e08120c7fe
- SHA1
  
  67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
- SHA256
  
  d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
- SHA512
  
  5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223
- SSDEEP
  
  393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT
Score

10^/10

asyncrat xworm default solarafake discovery execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2