asyncrat

General

Target

EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
Size

672KB
Sample

241229-ng7q1szqbn
MD5

62effd806c73fab27bdae3a51dd955d8
SHA1

8ce251bd3d0a31fca442884a3fe0ebe940d08ca0
SHA256

63577b4677fe321246f2b6991639c920b55d4991b8fcf5986787ea1cd55e3250
SHA512

19e954a8bdae76848188b2b12675bce8d56df30e6ffaa9e7b07b888631419e23c2f40e176ed8ea7f7b6b0a7ae7521ca06ed6dc4cb53663bf9b7fdc888dc7aaaa
SSDEEP

3072:FWGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:FWGiVNEn14IZVvisL43

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
- Size
  
  672KB
- MD5
  
  62effd806c73fab27bdae3a51dd955d8
- SHA1
  
  8ce251bd3d0a31fca442884a3fe0ebe940d08ca0
- SHA256
  
  63577b4677fe321246f2b6991639c920b55d4991b8fcf5986787ea1cd55e3250
- SHA512
  
  19e954a8bdae76848188b2b12675bce8d56df30e6ffaa9e7b07b888631419e23c2f40e176ed8ea7f7b6b0a7ae7521ca06ed6dc4cb53663bf9b7fdc888dc7aaaa
- SSDEEP
  
  3072:FWGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:FWGiVNEn14IZVvisL43
Score

10^/10

asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1