General

  • Target

    VenomRAT v6.0.3.exe

  • Size

    14.3MB

  • Sample

    241223-y9dczszqcp

  • MD5

    674fb9de862cbbb47a6ab5a7adb91d7e

  • SHA1

    5895e99a1cb66771735bb93d6fc85110d064ac88

  • SHA256

    dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e

  • SHA512

    444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602

  • SSDEEP

    393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4444

heheyanel.ddns.net:4444

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Activator.exe

  • telegram

    https://api.telegram.org/bot7427144754:AAHRLM93AsaKo2dFejmZxunuQW0uH41yfn0/sendMessage?chat_id=7294780361

Targets

    • Target

      VenomRAT v6.0.3.exe

    • Size

      14.3MB

    • MD5

      674fb9de862cbbb47a6ab5a7adb91d7e

    • SHA1

      5895e99a1cb66771735bb93d6fc85110d064ac88

    • SHA256

      dcb9b3bd02e4bca6dab8da73cfe8ff256cf70b2fef9aebd35f9c860b2e1df60e

    • SHA512

      444d9c6519c1564520a93ca49edf1a7bb742043f53bcf3cb6fe7ae5561253515f39aa197cb39d10a140ac2fdf3b4986034d9f6f2264000965bd2eba94ec99602

    • SSDEEP

      393216:vPv87RoDvSCG33lKqxsyEFfy1MpRt/RlY1V:vPv8727S/nweEFPRt5W1V

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks