asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

new.bat
Size

33KB
Sample

250109-xkbmesxngs
MD5

878627c4bca0ba302c23e3cda27b71f6
SHA1

b530ab3d16cf53c9a397586c2d71e7374ad80e89
SHA256

f70797c423c2807efbb81828b6a179099bc12a8adf852c02128cca7c67d4172b
SHA512

f5e073b50b4042540e096f6ec691941b25f22f5fe3c3dd252a064a2672ac091910ef5711bd6f6c17b7af222d9f93063fc3f94be08eed57558c2f77d1917f318c
SSDEEP

192:b+OyBLHo3fzcQD889AANVsoVVCB0+VZ3zdYxDcis:b+WN489AU+oTCB0YZ3uxDcL

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

fvanach.duckdns.org:7878

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

gvasync.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

ybvenomg.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

hjxwrm3.duckdns.org:8895

novxwor9402.duckdns.org:9402

Mutex

SftRwoP5yGpHaEZd

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

gvxwrm5.duckdns.org:8896

Mutex

3I9i4htBzR3bPWXw

Attributes

Install_directory
%ProgramData%
install_file
Spotify.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

rec8100nov.duckdns.org:8100

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DSVPV7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  new.bat
- Size
  
  33KB
- MD5
  
  878627c4bca0ba302c23e3cda27b71f6
- SHA1
  
  b530ab3d16cf53c9a397586c2d71e7374ad80e89
- SHA256
  
  f70797c423c2807efbb81828b6a179099bc12a8adf852c02128cca7c67d4172b
- SHA512
  
  f5e073b50b4042540e096f6ec691941b25f22f5fe3c3dd252a064a2672ac091910ef5711bd6f6c17b7af222d9f93063fc3f94be08eed57558c2f77d1917f318c
- SSDEEP
  
  192:b+OyBLHo3fzcQD889AANVsoVVCB0+VZ3zdYxDcis:b+WN489AU+oTCB0YZ3uxDcL
Score

10^/10

discovery execution asyncrat remcos xworm default remotehost venom clients persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Asyncrat family

Detect Xworm Payload

Remcos

Remcos family

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Xworm family

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates processes with tasklist

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2