asyncrat | 1001e70668789e08f7979484610e5246fa3c760142bc3ca8a55ce3da2301907a

General

Target

Dropper.exe
Size

18.0MB
MD5

392b044ac8ee5751045a163b2d1a358f
SHA1

56429e69619c0e69128732051db6e0e9bc40c18c
SHA256

1001e70668789e08f7979484610e5246fa3c760142bc3ca8a55ce3da2301907a
SHA512

2d0fd9963373132fde1d442d742efc95e8510f61325518aead420eeffb70e2a7566d95d3015ad930c4beddd2aa3d5b937b5711d0b0d09ee795eb6136aa26409b
SSDEEP

393216:m9YidhKRmmb1TfHqO1UyXMCHWUjlVg74wdugWIPPVBFVVJo8W:m9Yidh0MyXMb8PDwduGPPVNV+8W

Score

10^/10

asyncrat xworm default discovery pyinstaller rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.1.222:6606

192.168.1.222:7707

192.168.1.222:8808

Mutex

mA2752pAY1JK

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

C2

192.168.1.222:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e25-17.dat	family_xworm
behavioral1/memory/2800-22-0x0000000001130000-0x0000000001148000-memory.dmp	family_xworm
behavioral1/memory/1320-160-0x0000000000BA0000-0x0000000000BB8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b00000001225a-4.dat	family_asyncrat

Executes dropped EXE 7 IoCs

pid	Process
2528	AsyncClient2.exe
2684	pile.exe
2800	XClient.exe
2832	trap1.exe
1232	0.exe
1320	1.exe
2332	trap1.exe

Loads dropped DLL 7 IoCs

pid	Process
1668	Dropper.exe
1668	Dropper.exe
1668	Dropper.exe
1668	Dropper.exe
2808	Process not Found
2832	trap1.exe
2332	trap1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000015e47-28.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	XClient.exe
Token: SeDebugPrivilege	1320	1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	Dropper.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2528	1668	Dropper.exe	30
PID 1668 wrote to memory of 2528	1668	Dropper.exe	30
PID 1668 wrote to memory of 2528	1668	Dropper.exe	30
PID 1668 wrote to memory of 2528	1668	Dropper.exe	30
PID 1668 wrote to memory of 2684	1668	Dropper.exe	31
PID 1668 wrote to memory of 2684	1668	Dropper.exe	31
PID 1668 wrote to memory of 2684	1668	Dropper.exe	31
PID 1668 wrote to memory of 2684	1668	Dropper.exe	31
PID 1668 wrote to memory of 2800	1668	Dropper.exe	32
PID 1668 wrote to memory of 2800	1668	Dropper.exe	32
PID 1668 wrote to memory of 2800	1668	Dropper.exe	32
PID 1668 wrote to memory of 2800	1668	Dropper.exe	32
PID 1668 wrote to memory of 2832	1668	Dropper.exe	33
PID 1668 wrote to memory of 2832	1668	Dropper.exe	33
PID 1668 wrote to memory of 2832	1668	Dropper.exe	33
PID 1668 wrote to memory of 2832	1668	Dropper.exe	33
PID 2684 wrote to memory of 1232	2684	pile.exe	35
PID 2684 wrote to memory of 1232	2684	pile.exe	35
PID 2684 wrote to memory of 1232	2684	pile.exe	35
PID 2684 wrote to memory of 1232	2684	pile.exe	35
PID 2684 wrote to memory of 1320	2684	pile.exe	36
PID 2684 wrote to memory of 1320	2684	pile.exe	36
PID 2684 wrote to memory of 1320	2684	pile.exe	36
PID 2832 wrote to memory of 2332	2832	trap1.exe	37
PID 2832 wrote to memory of 2332	2832	trap1.exe	37
PID 2832 wrote to memory of 2332	2832	trap1.exe	37

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\AsyncClient2.exe
  "C:\Users\Admin\AppData\Local\Temp\AsyncClient2.exe" 0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\pile.exe
  "C:\Users\Admin\AppData\Local\Temp\pile.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\0.exe
    "C:\Users\Admin\AppData\Roaming\0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1232
- - C:\Users\Admin\AppData\Roaming\1.exe
    "C:\Users\Admin\AppData\Roaming\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe" 0
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\trap1.exe
  "C:\Users\Admin\AppData\Local\Temp\trap1.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\trap1.exe
    "C:\Users\Admin\AppData\Local\Temp\trap1.exe" 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28322\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pile.exe

Filesize
431KB

MD5
6fecf711df62b628669d1027d14a4bf5

SHA1
6062a129555a89ee968c84aabb45ae7a59b0b44b

SHA256
0a83e74cc52104c71010d4d66703ff34d5a9245a9d46f7926fc667ad4201550c

SHA512
e2fa8590ec04bbf1db51dc692684e00d6e6fe5ae77da398900348dda5859cffc3455138ec0ab9434e624b394b68a6d8750a41514f34108b40121231eb19f88b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\trap1.exe

Filesize
17.4MB

MD5
f99bcfad4d7e5b4034a208231ab52a68

SHA1
ca2cae0d8b7d656e355c3b9dcda0aed3b3de9534

SHA256
2971c12fa4af39c67f2f59e391f118e350f9824d198c54b0634de9f4cdc963b9

SHA512
78d327c84f6a69a09257057250a1db7ee21725d0fee4a75f5d07389f986fb5ceb6015a74a9d0b5d3ecd7ba77c0d473c4bd17a2dd62a5895221c019af1a173587

Download Submit
\Users\Admin\AppData\Local\Temp\AsyncClient2.exe

Filesize
47KB

MD5
552ffc8c5f01477794e54ca98130f2d3

SHA1
3232ea63d8a89ecf9d188b84c2090ed0aa5740ed

SHA256
a161c7118b90a154291649f3c135d3d4e5f100e8017b01ea912a46e90ad28b87

SHA512
55da0b761f87f1d0328bc606c9ae49277d7e455d40e394b839a7e4d1a5ade6b3069db5209b29caa4dce02c5b2f5f33840ac788d8bee075a6fff0dbb6530fa2d4

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
72KB

MD5
b98d6315ae637e71ff52fc89ee293606

SHA1
005064d052b5404c63323684482beb3be33799c8

SHA256
23c49a66fad823d47a1cb2e742ac4c12f51d6597f35f31635ab26337e59b410b

SHA512
2c7a22ac894ee34d00f8f334bb26fb0a9da32162e5d0d000a9bdeb6d2b63dee9768aaaf6fb68d2d229b29576b71af7cda5758f503252187a3d6030da9088ec74

Download Submit
memory/1232-149-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/1320-160-0x0000000000BA0000-0x0000000000BB8000-memory.dmp

Filesize
96KB

Download
memory/2528-25-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/2684-21-0x0000000000300000-0x0000000000372000-memory.dmp

Filesize
456KB

Download
memory/2800-22-0x0000000001130000-0x0000000001148000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads