asyncrat | 77d6be419db0e37ca0b078e59c1671792f7b6503fada5a579424b3994742774e | Triage

Sharing

General

Target

loader.exe
Size

86KB
Sample

250129-kaxexsslcy
MD5

57f6021de4d2fbe84c3038e624512dce
SHA1

0b89bc5ea4d9210e2e073a1003d0f50dca843338
SHA256

77d6be419db0e37ca0b078e59c1671792f7b6503fada5a579424b3994742774e
SHA512

b224d1481c5274d34e1d169c2bb9e291b5cf27100dbc833f024f5b6282999381dd7005f56621012e26a6e737d347a4b16812e533224d3735e819a351b9c0ecc7
SSDEEP

1536:7ZRzeHd/3w4Rgmcux+gENmyd3hs582bwoFo+oMyQryrxClrzlMxO9cJq:7Z8fh+gSz3hsCAwoFo1MNyrxErzmxO9t

Score

10^/10

asyncrat xworm fucked up by codex17 execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

FUCKED UP BY CODEX17

C2

105.100.250.154:39687

Attributes

delay
1
install
true
install_file
Anti Spayware core service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

C2

105.100.250.154 :38672

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7581317328:AAHSOYBRXtxAC4eNoBHxtvJwUlAqgnnRcoc/sendMessage?chat_id=6229207397

Targets

- Target
  
  loader.exe
- Size
  
  86KB
- MD5
  
  57f6021de4d2fbe84c3038e624512dce
- SHA1
  
  0b89bc5ea4d9210e2e073a1003d0f50dca843338
- SHA256
  
  77d6be419db0e37ca0b078e59c1671792f7b6503fada5a579424b3994742774e
- SHA512
  
  b224d1481c5274d34e1d169c2bb9e291b5cf27100dbc833f024f5b6282999381dd7005f56621012e26a6e737d347a4b16812e533224d3735e819a351b9c0ecc7
- SSDEEP
  
  1536:7ZRzeHd/3w4Rgmcux+gENmyd3hs582bwoFo+oMyQryrxClrzlMxO9cJq:7Z8fh+gSz3hsCAwoFo1MNyrxErzmxO9t
Score

10^/10

asyncrat xworm fucked up by codex17 execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratxwormfucked up by codex17executionpersistencerattrojan