Overview

overview

10

Static

static

3

Xbinder.exe

windows7-x64

10

Xbinder.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Xbinder.exe

  • Size

    818KB

  • Sample

    250126-abs4savlew

  • MD5

    e8b3e6a05918c40c6496f0ac7570164d

  • SHA1

    a23028177074a8b162e238deb4f6bd7663e09b96

  • SHA256

    5b33e729c1b06179513baa7af574be4e43fab620da2eb35727dfde4626400070

  • SHA512

    2ecfe3dfea8af97195eb2e50fd76973df5a3294ee75fbb5f588640db8e009ea905f12958cca58283291c31b4ecd55af645adfd9de6bea07814334e8ba154f084

  • SSDEEP

    24576:9RooZwBjEhcYcvYWUb1r/rjVJbC7vztZJIS002Kgp/nn6V9g:LXwBjXQWUd7qx0Zns

Score
10/10
asyncratdefaultdefense_evasionexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

bay-helps.gl.at.ply.gg:36538

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe
exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Targets

    • Target

      Xbinder.exe

    • Size

      818KB

    • MD5

      e8b3e6a05918c40c6496f0ac7570164d

    • SHA1

      a23028177074a8b162e238deb4f6bd7663e09b96

    • SHA256

      5b33e729c1b06179513baa7af574be4e43fab620da2eb35727dfde4626400070

    • SHA512

      2ecfe3dfea8af97195eb2e50fd76973df5a3294ee75fbb5f588640db8e009ea905f12958cca58283291c31b4ecd55af645adfd9de6bea07814334e8ba154f084

    • SSDEEP

      24576:9RooZwBjEhcYcvYWUb1r/rjVJbC7vztZJIS002Kgp/nn6V9g:LXwBjXQWUd7qx0Zns

    Score
    10/10
    asyncratdefaultexecutionratdefense_evasion

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks