Overview

overview

10

Static

static

1

new.bat

windows7-x64

8

new.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    new.zip

  • Size

    3KB

  • Sample

    250110-debkpazkas

  • MD5

    474736539e4f8faa6320d9a81737828f

  • SHA1

    21ed7f01ffe9ebe0bac7d020e85be075ce676ea7

  • SHA256

    0325e65e9c037c4a37bf52e3092c9627a29eda51987bbcb43139e352b9d930eb

  • SHA512

    3130cf0d7a7d55aa7b2ebdd1b7449996325c0e6696eacca3d88589df2db05ba4ead0c6cd7b36e8a7c0161454606c76d9e350f0fd3cf8c5137c292b85c2062362

Score
10/10
asyncratxwormdefaultvenom clientsdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

fvanach.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

gvasync.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ybvenomg.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

hjxwrm3.duckdns.org:8895

novxwor9402.duckdns.org:9402
Mutex

SftRwoP5yGpHaEZd

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

gvxwrm5.duckdns.org:8896

Mutex

3I9i4htBzR3bPWXw

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Spotify.exe

aes.plain

Targets

    • Target

      new.bat

    • Size

      33KB

    • MD5

      878627c4bca0ba302c23e3cda27b71f6

    • SHA1

      b530ab3d16cf53c9a397586c2d71e7374ad80e89

    • SHA256

      f70797c423c2807efbb81828b6a179099bc12a8adf852c02128cca7c67d4172b

    • SHA512

      f5e073b50b4042540e096f6ec691941b25f22f5fe3c3dd252a064a2672ac091910ef5711bd6f6c17b7af222d9f93063fc3f94be08eed57558c2f77d1917f318c

    • SSDEEP

      192:b+OyBLHo3fzcQD889AANVsoVVCB0+VZ3zdYxDcis:b+WN489AU+oTCB0YZ3uxDcL

    Score
    10/10
    discoveryexecutionasyncratxwormdefaultvenom clientsrattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks