General

  • Target

    c904e0cd3.zip

  • Size

    804B

  • Sample

    241219-rfk3eavkbn

  • MD5

    930bc6b90d6ccbb4e61848d90d16b82d

  • SHA1

    f692fdb997d2098fa2e2fbbea0f05c0b2a306bd8

  • SHA256

    6c6fbc21d050edc1070a82bf8817015d2de88614a061438bb834f7ff2664c0a4

  • SHA512

    d9b8d3b8dd689bb54f2c8b061a4d7c6a06a68f9906a8bb434866a8982db3c3bc745f7c946150c996703a9504717b3a3e3cbd66275678afc2be6f0e06de7ca54e

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

sdanarchynd.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
mzSF5fXzRoDJsWExfbQn95kOV2nxTnzd

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

soasyncb.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
HVktmrr0MIZXjHY6l2unnMDH3cvZQPUq

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

jkvernm.duckdns.org:8520

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
Mmrgn2nQg4co1cHpuEJrjDQxevwwHk4S

Extracted

Family

xworm

Version

3.1

C2

hnxwrm3.duckdns.org:8292

Mutex

7OmhyCIQgrHx3yxU

Attributes
  • install_file

    USB.exe

aes.plain
1
dsSxLtUACG1LyiF+QG8/6Q==

Extracted

Family

xworm

Version

5.0

C2

newxrm5.duckdns.org:9390

momentnb3901.duckdns.org:3901

Mutex

0IpUtNjbaz65ubYv

Attributes
  • install_file

    USB.exe

aes.plain
1
pem4ZlKMkPbE+vQ8DWpAuw==
aes.plain
1
/3Er/CTznplZeZMdHduu8w==

Targets

    • Target

      Inquiry.html

    • Size

      312KB

    • MD5

      d9be2b4df752bce538b17bb70d28c38d

    • SHA1

      d11e735cce93726af9b17b7d524569dda0386e03

    • SHA256

      52aa4dc388981844c67bcf7b6135d3706f275bf9f20bd88facf9e35c904e0cd3

    • SHA512

      8ee8fef44ef372821cb3c8d7b229d833dbd8d7c289c4d8fb6547bdae69c7b14f2f038369238944d22c44b9fe87fd5ec208884d212aca6cb5e41c620029bcf363

    • SSDEEP

      6:aO+3Q21JOAZBvbLAqtybbTJOAZBvbLPMERVbjMRJViktbJFC1DqbGAL4vFC8unAU:FF21pDgqunpDvBjMxikJu0XGztu0Xn

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.