General
-
Target
exm.bat
-
Size
672KB
-
Sample
241225-c31ztavpcm
-
MD5
370aa4901be86e11a72afff222c86e92
-
SHA1
e096c9d5c9f569ce2ef635e85637770911e776ba
-
SHA256
93a217610764ba1fd4f3a6be92aee28d3ebb68bd97acac624d32eb5d74c66b83
-
SHA512
03ae1394b77920b8f3efa719bf0fda67863b320a5751e6a21100a26426a3519eb352f765c4ea079e9272f173980ec2b07b2ef48c61de21c0570a1956fb83eeb7
-
SSDEEP
3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+KW:BIGiVNEn14IZVvisL4W
Static task
static1
Behavioral task
behavioral1
Sample
exm.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
exm.bat
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
-
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888
Targets
-
-
Target
exm.bat
-
Size
672KB
-
MD5
370aa4901be86e11a72afff222c86e92
-
SHA1
e096c9d5c9f569ce2ef635e85637770911e776ba
-
SHA256
93a217610764ba1fd4f3a6be92aee28d3ebb68bd97acac624d32eb5d74c66b83
-
SHA512
03ae1394b77920b8f3efa719bf0fda67863b320a5751e6a21100a26426a3519eb352f765c4ea079e9272f173980ec2b07b2ef48c61de21c0570a1956fb83eeb7
-
SSDEEP
3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+KW:BIGiVNEn14IZVvisL4W
-
Asyncrat family
-
Detect Xworm Payload
-
StormKitty payload
-
Stormkitty family
-
Xworm family
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1