asyncrat

General

Target

c904e0cd3.zip
Size

804B
Sample

241219-rfk3eavkbn
MD5

930bc6b90d6ccbb4e61848d90d16b82d
SHA1

f692fdb997d2098fa2e2fbbea0f05c0b2a306bd8
SHA256

6c6fbc21d050edc1070a82bf8817015d2de88614a061438bb834f7ff2664c0a4
SHA512

d9b8d3b8dd689bb54f2c8b061a4d7c6a06a68f9906a8bb434866a8982db3c3bc745f7c946150c996703a9504717b3a3e3cbd66275678afc2be6f0e06de7ca54e

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

sdanarchynd.duckdns.org:7878

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

soasyncb.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

jkvernm.duckdns.org:8520

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

hnxwrm3.duckdns.org:8292

Mutex

7OmhyCIQgrHx3yxU

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

C2

newxrm5.duckdns.org:9390

momentnb3901.duckdns.org:3901

Mutex

0IpUtNjbaz65ubYv

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  Inquiry.html
- Size
  
  312KB
- MD5
  
  d9be2b4df752bce538b17bb70d28c38d
- SHA1
  
  d11e735cce93726af9b17b7d524569dda0386e03
- SHA256
  
  52aa4dc388981844c67bcf7b6135d3706f275bf9f20bd88facf9e35c904e0cd3
- SHA512
  
  8ee8fef44ef372821cb3c8d7b229d833dbd8d7c289c4d8fb6547bdae69c7b14f2f038369238944d22c44b9fe87fd5ec208884d212aca6cb5e41c620029bcf363
- SSDEEP
  
  6:aO+3Q21JOAZBvbLAqtybbTJOAZBvbLPMERVbjMRJViktbJFC1DqbGAL4vFC8unAU:FF21pDgqunpDvBjMxikJu0XGztu0Xn
Score

10^/10

discovery asyncrat xworm default venom clients credential_access execution rat stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2