General

  • Target

    0x00080000000174cc-13.dat

  • Size

    74KB

  • Sample

    241227-a7ma4sxjas

  • MD5

    5b43e7355fd90aff498f34f9c9abe5a0

  • SHA1

    ced829ab27f09bb9316a95617e027dfa052f0955

  • SHA256

    235acf44d2a24f518dc53f3eda92ffb9fbe2546c37d9e5fb951eb282c782f3c7

  • SHA512

    a703c4e821e40361b1da8a1687fbb7e394efa81c19e386f0037b1380e1949f58219cf0b69e8ec1eee068a7cf5667c933437a3382e2f1cc9f20b438df3b35a5c0

  • SSDEEP

    1536:mU5gcxbVzCt+PPMVFsg/IuH1bG/eASUDUxQzcKLVclN:mUGcxblTPPMVFjDH1bGRNUxQ7BY

Malware Config

Extracted

Family

asyncrat

Version

Tsurugi RATs

Botnet

Default

C2

213.136.90.188:4449

Mutex

zteprqyjlfgxrxuaid

Attributes
  • delay

    1

  • install

    true

  • install_file

    Check Windows Update.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

213.136.90.188:7000

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Microsoft Edgs.exe

Targets

    • Target

      0x00080000000174cc-13.dat

    • Size

      74KB

    • MD5

      5b43e7355fd90aff498f34f9c9abe5a0

    • SHA1

      ced829ab27f09bb9316a95617e027dfa052f0955

    • SHA256

      235acf44d2a24f518dc53f3eda92ffb9fbe2546c37d9e5fb951eb282c782f3c7

    • SHA512

      a703c4e821e40361b1da8a1687fbb7e394efa81c19e386f0037b1380e1949f58219cf0b69e8ec1eee068a7cf5667c933437a3382e2f1cc9f20b438df3b35a5c0

    • SSDEEP

      1536:mU5gcxbVzCt+PPMVFsg/IuH1bG/eASUDUxQzcKLVclN:mUGcxblTPPMVFjDH1bGRNUxQ7BY

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks