asyncrat

Sharing

General

Target

exm.zip
Size

34.4MB
Sample

250318-samvgsymt5
MD5

da21f8ec79eb535a331d2a895cef7ef9
SHA1

b74b2aa321175ab5132dacbdd15cb046cc65adc8
SHA256

9cc9678578270690295e1e26ae50c1d3f6647d36650fe3ecfcd3c1db763d4eff
SHA512

331c5b1dc3514b929c00c10775448899aade61f46900038bf7e9ef15f74435e7646e32e181add9f3da8063b5621765d05c895d91f344a8a455c0f8bad439cfde
SSDEEP

786432:S3MHSELiCe3nEneNaCiPYf5RNdrxSxRaUHVRUJPyv3Ut+NgXjy3ge:S3HELiP3ExALNdtSfnHVRr+of

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
dllhost.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAF8RmyqUUeiIW2FY-CiLkvH5n7OnXLqSuo/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAF8RmyqUUeiIW2FY-CiLkvH5n7OnXLqSuo/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7538644364:AAF8RmyqUUeiIW2FY-CiLkvH5n7OnXLqSuo/sendMessage?chat_id=7541917888

Targets

- Target
  
  Autoruns/Autoruns.exe
- Size
  
  1.7MB
- MD5
  
  17bd13edd536269c417ba8e1b4534fbe
- SHA1
  
  22470bb3a4c37a0c612ff7ad2596306065ac0c9b
- SHA256
  
  6111a70da65153e6ded71eae2057bf6760f340476261f6e15a80479daf9724eb
- SHA512
  
  00d8c80dcfdda235d06160b40d06e47bd0be5178c5fb2b26bf4cd984eae520d877517a16d1a62d88ed1f0a46244eafd4cc4b4183a35f85d13b250e492d441455
- SSDEEP
  
  12288:5nhZrVs162LpM5mzIhM6jl8/yX0Chz8rgRO6u2TdimrfZetCvmKT6IQViL/MW5b8:s0qQhMIX0e8uOR2xZnkiYWZk3
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Autoruns/Autoruns64.exe
- Size
  
  1.9MB
- MD5
  
  6ae8e963b33ee52df761412b451b2962
- SHA1
  
  f7ab1987848a91af2c77a72583211dcadeed420a
- SHA256
  
  f59056339de56820e57c961d6ddd9032bd78af9f2333797944f4ee57b77ee2ca
- SHA512
  
  472f07bb37966d056d9efb97e4b686951987ca358a9f213fa6db5ec50cf4a32084cb18c863c8c1add20a2619154cf9f4705541e27c196142917eb9491b54846a
- SSDEEP
  
  24576:qU8EqexVDmS0d1ARkxDRlzmYj0tYC/5JReKq1QMcXEkb9fzTXJe:qHEqexVDmSOxxDI5JRhMIFT4
Score

3^/10
behavioral3 behavioral4
- Target
  
  Autoruns/Autoruns64a.exe
- Size
  
  2.0MB
- MD5
  
  d518661b0940e2464aa8d3073599ab89
- SHA1
  
  66be7b41b80477d7ea0045319a08362253d08097
- SHA256
  
  d6aee475688b942a2ea49ba4cc5c73ca97191ad91d7d8c2e4a57e07dcf9c9ba6
- SHA512
  
  e12967de56c1e514c22adeac308c87b2ee12d86055fb3b4e456db29bb653254cc96715afc3b701ff21c5137b2223a67bbb84a08fd05bfd15f199bdb6ab24e915
- SSDEEP
  
  12288:2ypw7n7rV3lzyNzvOdBFAijmciVjJEa2K54uWjseVCAR1RadyOBTG3M4EbK2AwZV:2ymsLOdAi2Jl4uvIvEBTG/wZZG/rjM
Score

1^/10
behavioral5 behavioral6
- Target
  
  Autoruns/autoruns.chm
- Size
  
  24KB
- MD5
  
  2c099793584365b8897fca7a4fa397e8
- SHA1
  
  50eaf2f529b1e923f7d0238ea8d3eb2187ad19cf
- SHA256
  
  ecb58342290940a5eb6b72be6faa1d0afeec9df5898df3e026d75b7b08bd8f9a
- SHA512
  
  ae407cd6b2d6ddf033f04b19ddf168423f819a4a42834afe03b7c35f86dd7b6572ced6c325fd9a56eacc9613944c4f3d17831d15713a35f0ea24f4c4c14af0ce
- SSDEEP
  
  384:h2Svimo+ByfYV9H27NbyQhxEj4sbHxQpHgQkOx:h2Svimo+h8RrSjnHupAQkE
Score

1^/10
behavioral7 behavioral8
- Target
  
  Autoruns/autorunsc.exe
- Size
  
  701KB
- MD5
  
  1d4611e03d8f32ae08cf8ade9a958729
- SHA1
  
  a8a3504eaf57a7d640bd42b5d59d2b8afa3e5f33
- SHA256
  
  bfbcf41b4659a4f371d434fc92b0f13bd46cfb82b74910633e900008765bd6da
- SHA512
  
  b3114eb005aa1f5f855d86d846099d43b61bbc7353d3acec241a79b691f69080474d356d9e414dfb65036c9a36751d9839fef15f8115ea391e906a841eb52ea4
- SSDEEP
  
  12288:6p7RGU8Fyh5h1nRoKWoS+ajSUwDeFHvOfKf:6p8rqH1nuKWoS+9DUvdf
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Autoruns/autorunsc64.exe
- Size
  
  784KB
- MD5
  
  848e852089ba84056308e184b034c302
- SHA1
  
  ffd77f9da61b955b07c76fa392b48c09273d81fd
- SHA256
  
  110651323222353e13588adcf82f7a21faa51422a251033a4e1163b9e95ae08a
- SHA512
  
  8e45aec194863838ee2e128f765e77b0e6fbfca710279a67fe516a20c273a595a5b1eceba33988c5cbe0c3b3d0238dc25e335a38431b49ac29a35ade099a6259
- SSDEEP
  
  12288:Fa1oHlwuPdzVlet1w0BYWBzzZmEEqMSbwDQL:RFwAZlejw0BYWZEhKEDQL
Score

3^/10
behavioral11 behavioral12
- Target
  
  Autoruns/autorunsc64a.exe
- Size
  
  807KB
- MD5
  
  0c790f64e69f9d9a4cbde5e21f1a4e93
- SHA1
  
  356d1dde5bb5d1a6c43d118910eeff6725a219e9
- SHA256
  
  b9c11b7701a269b8151ec8b38577fe2bb4de1e4e1ecd7f63324454054acf6881
- SHA512
  
  5d285ff8738dc9aeed61d24e8823f81b568cc251793619d660fa42781b1cb4979c0f67e015183cccddf366f6a96ba9fcda53e91d522642ca8f8bc4bf2461a479
- SSDEEP
  
  12288:rOWkiYFavNULaT5zq5N1YsA4tF5JWYByz6YCOM5EdAdahYAwD3W:kaT525b7YCfahYdD3W
Score

1^/10
behavioral13 behavioral14
- Target
  
  EXMservice.exe
- Size
  
  21.7MB
- MD5
  
  f551d9082d5a86776a906984e9cac3b3
- SHA1
  
  7f2294fb608e65fb06b844a559dc3e8ec26dff8b
- SHA256
  
  40c4fc26947ad84ecbfbeba71c930dc8f7f4dd5ae737c0021a0cdf721a76facf
- SHA512
  
  444f10d6468c28bab1920e33544becbc228b9cca6d710e4751bab50cd04baf6fe2c2d499ed578116212e1219a68f55c6cf836a61dd5f576cce8c6fd3fc1afe1d
- SSDEEP
  
  393216:xQKf8nAG+bkX7ViesEfcGhCDNz1FNcRQR35DNJ93IPzIYHEKwPs91DQVtUcpBc:OK0AHbuViP6cGhCDdxDRFXePnkM91DQd
Score

10^/10

upx asyncrat gurcu stormkitty xworm default collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  defense_evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Contacts a large (1153) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Stops running service(s)
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral15 behavioral16
- Target
  
  FortniteSettings/FortniteSettings.exe
- Size
  
  9.3MB
- MD5
  
  a39de0d010e9d34de70abad81f031e23
- SHA1
  
  9903ee2dd6b87369eb33de49d5a3d13135309899
- SHA256
  
  3b4e1a5a0d85269d9491e155864e630339e292a9228dc1eb37ff61b0a657ff6e
- SHA512
  
  6247314d4ccf1fc14d8a999d476a6370b4e553bab76fb086f4cbf163f59c982643b0820d7d829ed3d3415456a613c777f90ac8c0ff3112be0ec44a7ee126a9d9
- SSDEEP
  
  196608:SVKRZdQmRJ8dA6lbuVaycBIGpER/1q3+dgSVQ0W8/La8G5Ikq:fZdQuslbl9uq3+d9V3W82Id
Score

7^/10
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  NvidiaProfileInspector/nvidiaProfileInspector.exe
- Size
  
  535KB
- MD5
  
  ff5f39370b67a274cb58ba7e2039d2e2
- SHA1
  
  3020bb33e563e9efe59ea22aa4588bed5f1b2897
- SHA256
  
  1233487ea4db928ee062f12b00a6eda01445d001ab55566107234dea4dc65872
- SHA512
  
  7decec37c80d1d5ad6296d737d5d16c4fc92353a3ae4bd083c4a7b267bb6073a53d9f6152b20f9b5e62ba6c93f76d08f813812a83ce164db4c91107d7ad5a95f
- SSDEEP
  
  6144:4sP/zdlaCgMOx9mN1S0Mi11iBFmEobpU0u5p:/P5cCdOHmN1S0Mi2BFmLU0A
Score

1^/10
behavioral19 behavioral20
- Target
  
  WindowsUpdateBlocker/Wub.exe
- Size
  
  791KB
- MD5
  
  82aff8883099cf75462057c4e47e88ac
- SHA1
  
  68e2939f59b3869e9bd3ecc4aca3947649631bf8
- SHA256
  
  aac1123f17f8569a36bf93876cea30e15103fd2379b401a79129a2a6e7285ac2
- SHA512
  
  212ac940a1f8bdd805813c279d471efc53b858bc35c5edad182dfde3c29c37854618a507a0a0839e5a383d1ba4fe317c0b3c8275d023c86ecfa36f221560b96d
- SSDEEP
  
  12288:ZaWzgMg7v3qnCiWErQohh0F4YCJ8lnyTQrv2HzAMI3u18:4aHMv6CWrj8nyTQrv2TAMI3ua
Score

10^/10

defense_evasion discovery
- Modifies security service
  defense_evasion
behavioral21 behavioral22
- Target
  
  WindowsUpdateBlocker/Wub_x64.exe
- Size
  
  939KB
- MD5
  
  9d6778f7f274f7ecd4e7e875a7268b64
- SHA1
  
  452fa439f1cc0b9fcc37cf4b8cfff96e8cc348aa
- SHA256
  
  187eeee9e518011de1b87cfb0ed03e12ea551e9011f0c8defdd0e4535e672da2
- SHA512
  
  d51df55a5f903ec624550e847459bfa52fb19e892a58fe2de41251d9d98890b36f26a4950ad75f900de0311b5330066aaece11ec5e549d5b3867a61a344e0b87
- SSDEEP
  
  24576:12DW/xbqX2YIbzQsu3/PNLIQFHyBvGThpZY9:12EmXGQsW/PN0QNlZI
Score

10^/10

defense_evasion
- Modifies security service
  defense_evasion
behavioral23 behavioral24