asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_60.zip
Size

34.4MB
Sample

250322-g2wqxsy1fx
MD5

df8ac1617a1b79b817a06631e29dda0b
SHA1

3ada271c1dfea95b31d6854d7ff0069feee2e420
SHA256

55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe
SHA512

107ba9f29d2a395c6ede76951d425fdc2f795379dd4b3fd52ebf9da37118cb2fae01ee711bbb7d989e38dfb87be288cc8776bde8149de9dfeaa0a654567607d0
SSDEEP

786432:uwLNuwf9VIBlizAqVEfY6MDt+Qft4Vp//yxNLNTX4FfyOyQ37N:hLNhf9y3WYfYzDoQft47afND4YQZ

Malware Config

Extracted

Family

xworm

127.0.0.1:7777

door-predict.gl.at.ply.gg:7777

cartomen-31558.portmap.host:31558

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

redline

Botnet

nou

135.125.21.41:1912

Extracted

Family

xworm

Version

3.1

request-busy.gl.at.ply.gg:6728

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

disha2024.ddns.net:1177

Mutex

08f8635990ea5e4f2c51d6306732973d

Attributes

reg_key
08f8635990ea5e4f2c51d6306732973d
splitter
|'|'|

Extracted

Family

xenorat

5.tcp.eu.ngrok.io

Mutex

Microsoft

Attributes

delay
5000
install_path
temp
port
11269
startup_name
nothingset

Extracted

Family

nanocore

Version

1.2.2.0

91.236.116.142:5888

Mutex

d995ed82-bf13-4043-b564-f5f89f8c5209

Attributes

activate_away_mode
true
backup_connection_host
91.236.116.142
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-01-07T03:01:54.729778636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5888
default_group
Spy
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d995ed82-bf13-4043-b564-f5f89f8c5209
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
91.236.116.142
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

darkcomet

Botnet

Guest16

vendetta123.myftp.biz:1604

vendetta123.myftp.biz:8080

vendetta32.myftp.biz:8080

vendetta32.myftp.biz:1604

Mutex

DC_MUTEX-EPHKD8X

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
GwGlrzWozjeS
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:14888

health-eddie.gl.at.ply.gg:14888

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  f2259737b967bbe88fc74916f319c61a.exe
- Size
  
  914KB
- MD5
  
  f2259737b967bbe88fc74916f319c61a
- SHA1
  
  d4aa76d4aeaebb6db93b4131c81fc898cb48f901
- SHA256
  
  b4dc13b87fda606c84b1ac2e9a3ae2d16f24aa5ff389b6cb0f550dd517986cba
- SHA512
  
  560b28ea6b8d8b67f0a0707f819204d8b4f49614d668ab2a367acc67fb437562c8163cb4b6ccb70186945f58d788b0d1e5e44d0e238f96b03e70ad245c1f70d0
- SSDEEP
  
  24576:CdtP2cbksTpugRNJI5kFMJF9OWjwjLOjZV:fgq7
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  f26d7a764816fad6183d06a6fc996857.exe
- Size
  
  984KB
- MD5
  
  f26d7a764816fad6183d06a6fc996857
- SHA1
  
  ab68307f5b1f1fbe0c99fcbed2b6d6ee3f596409
- SHA256
  
  dd6f503f280cc68627a4ef5082596457d1e608d0aef4a7f0d33e0640e520b81e
- SHA512
  
  d3b46e095ceb3cd56975c27708726d6d07a96c7c58aa3273630bfac596608eb868061655177140aef74e71728cd51427a91a9a36fbb4d4cbb2f1fc3c6c50ddfe
- SSDEEP
  
  12288:rzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:rzZvuGD2PvA5YxwmbZB6Uv
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999.exe
- Size
  
  4.8MB
- MD5
  
  6ad963b7e8e072b0e74afab991ce4c37
- SHA1
  
  c8511ce099079ba5ea64b0d6ce6865f8ccf73ef6
- SHA256
  
  f2728425ca601bdf06725c7584a8d848f1fb0d90fc28e219157556534d1b3999
- SHA512
  
  105d1b65eca3b9652a842cd5ee60c53a1335f2888032f8b3acef310a0552a9d9cf14335b5957a4c4dcd97fdb3d946e7698016c0e45e71e5185b0c93691c42d30
- SSDEEP
  
  3072:fv2BuEK/hTTK3EW2pL81kunExjRn21W62b0T3t:fXU0W2pL8CunExjNET3
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral5 behavioral6
- Target
  
  f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29.exe
- Size
  
  923KB
- MD5
  
  03fec9db45b4e2b6bd119629c62afeed
- SHA1
  
  f9e3d4f4c5142b8e9e62d876fb1d75022059936e
- SHA256
  
  f27c4963784ed1d311afd03bdfbe000f499b67edd16c4af85d34e547b892ca29
- SHA512
  
  f30c2d7bb2201b9f78c5c23bcad35a04bad30a23b32e8bba006b9fb4ac453476d303109802c5799d60c813d7e942f3f38f336075d9709af0c02daadf8762cd7c
- SSDEEP
  
  24576:UdtP2cbksTpugRNJI5kFMJF9OWjwjLOjZX7:tgq17
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  f2e7cee938a991ef6e4a0fcb64efc69a.exe
- Size
  
  3.3MB
- MD5
  
  f2e7cee938a991ef6e4a0fcb64efc69a
- SHA1
  
  a256643993c2ad1e86be6209dd3cf457ba6e6865
- SHA256
  
  b874ba54767cb863c42144303d87a6cba7c13b2cb36d10ecc714b226b1732d03
- SHA512
  
  af637f0038ac2afe4ab315c514ceb79540c54c5cd59128a7a1726c022c3846e57fb5d762360b9db5f34605e7134203f058c693edfb8b5d9d07b86dbc346f451b
- SSDEEP
  
  49152:7s51kZEsvhP4KUYTMb5C1JyWdLQqFxLCobXK45p4aE:7s5eaKhgKUFCo2LP15s
Score

10^/10

dcrat defense_evasion infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral10 behavioral9
- Target
  
  f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7.exe
- Size
  
  133KB
- MD5
  
  521a4637ac2bd84bc35a869cb9ad98a1
- SHA1
  
  59630f3b2c3aa5f10485556effa1fa59d805a977
- SHA256
  
  f2fe22a9b88a7181ef0a17fcbafba04ca86ac230251f2c02b3a2122056f7b8f7
- SHA512
  
  720c0d2a6b942ac2f148f01593ee82801fef14966486b01c846b196134b79b189f4ea9e778e5400649c853235f8871f365180c53a21f8a3a6aaf9240bbe4d62d
- SSDEEP
  
  768:HQlFnwDpc9AWYs8Wb0atny6zmB+7AFZbrdlEjpAFZbrdlEjAaoBl3sTU:HQcanb0L6zm8sZHdlgCZHdlgAwI
Score

1^/10
behavioral11 behavioral12
- Target
  
  f329b3a2d6b8a4688e82ffe1c491b2ab.exe
- Size
  
  63KB
- MD5
  
  f329b3a2d6b8a4688e82ffe1c491b2ab
- SHA1
  
  d06cab7d0ce6970807574569f4a3896ddd3d9ee7
- SHA256
  
  e8b6648a1f94b9a9ea1d67db82812f08f5aaa7fd220d5574ba7e9e14dbcb06a0
- SHA512
  
  cdc3056d11cfa9f34beee2a83dd861074076fec47e9b8a30a0e01eb92ee0ccca6b8376d58e578c15de720e5ea745da9fddbd3b0380995b237ad21a4dc1651dc6
- SSDEEP
  
  1536:j/kfqBXOzUG4meKbDofOBOlNQYgK6dyOmgnz:j59cUsBbDo6s1gZyOmgnz
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14
- Target
  
  f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
- Size
  
  1.6MB
- MD5
  
  e9a05151dfc1c4c2e84f16e25d05f6ee
- SHA1
  
  4bced15dc17ebf0e95cb34558e093446d394b235
- SHA256
  
  f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1
- SHA512
  
  6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af
- SSDEEP
  
  24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score

10^/10

dcrat execution infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral15 behavioral16
- Target
  
  f35d502490f7522150c06d1bd7ca12e2.exe
- Size
  
  8.6MB
- MD5
  
  f35d502490f7522150c06d1bd7ca12e2
- SHA1
  
  5ff707c5084b287ae08886bc857d4a2b4ffd8793
- SHA256
  
  af9968865c5173cb2b5af909bb34088bf51496c10ef91e26c054bde235bb519f
- SHA512
  
  8fe5536968d1ad453a58644052a27731e3d1dc4c57553c68c4ad310d459276dd8d1c4e5a15b7d262d864ed0675cab0ba6ef6b2081fa3653cb4c6062df1b6bc4f
- SSDEEP
  
  196608:t3/F4FE9vSMWU3wmIAYJVY5yJo20px+w71m:t3/F4F1mIfVY422Mx+V
Score

10^/10

defense_evasion discovery persistence
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  f36fde098314a27faa2d29aeb76c2bfb.exe
- Size
  
  420KB
- MD5
  
  f36fde098314a27faa2d29aeb76c2bfb
- SHA1
  
  156b293c80743c32b34ac9a44487360eefb51fb5
- SHA256
  
  8e3c706a25a3207a1acbb83b5a98e364ccee10817294a4028384fcdc55626de7
- SHA512
  
  a6f453a49b9774d6001ca5fca7c2af4db32d280fd05e29166b1b5e605c33167e27ce3fb8f1b3cac156abd6744176cee5d857d6755f86bfb99ffa15c495dca112
- SSDEEP
  
  6144:ppNJ7akCRa87w8qOwMrIZ1WthzHVMaY7P09jX38qK8kFdz64p4j+2wZEsv2Z51HV:N5rZ8zhxMaY6YRD6k43wZEsv2FHbF8kJ
Score

1^/10
behavioral19 behavioral20
- Target
  
  f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472.exe
- Size
  
  1.6MB
- MD5
  
  035fb85d4bfb5d363a2e19689c5293ec
- SHA1
  
  3d19aba6ea72ceef39689f1aac1cf79f48da3003
- SHA256
  
  f373a271fe4709f9373cd3f5d1519b4055cf99521118a2b8dc790e358b3e1472
- SHA512
  
  8308bb0f3d867ed63c57f29a345f97a2179277648910c2499e9cf016f84b0a09bb2aab50a59b258ee569fa79cb5d3269804f693a42db9228a903b9e3368d0a63
- SSDEEP
  
  24576:TK1mgY/IrFL0sp2ctQVvIUu6+HnihZVFGZo0Pzv8veL4uso/G3X3BrVv:hIgc2xn+CbVFGjL0veL42u35Vv
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral21 behavioral22
- Target
  
  f386c97ec32e28437b074ba6fb3311ed.exe
- Size
  
  300KB
- MD5
  
  f386c97ec32e28437b074ba6fb3311ed
- SHA1
  
  d510749fb503fe0f5bb24084f89866d796ae9481
- SHA256
  
  d04dd4cc8f7963d05ef33dd9b686506ad81e981974b4aefdd2f7befdc9dbec16
- SHA512
  
  e0225f9fcd9f1a528d1f7b4936e32821d05f8cde036f4072195603dd09cf97c163f931af6a500eaa8dc886b46ee8cc4594e4035685fcd8784d79610b520570e5
- SSDEEP
  
  3072:acZqf7D34kp/0+mA+kyI7BQwg02+B1fA0PuTVAtkxzN3RMeqiOL2bBOA:acZqf7DIcnfmcB1fA0GTV8k70L
Score

10^/10

redline nou discovery infostealer spyware stealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral23 behavioral24
- Target
  
  f3873b73a0b2ef5c54ba8ed8a571bc14.exe
- Size
  
  1.1MB
- MD5
  
  f3873b73a0b2ef5c54ba8ed8a571bc14
- SHA1
  
  404a503b0a98f21c4adc006ebd7a51466aa1e52d
- SHA256
  
  e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f
- SHA512
  
  02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a
- SSDEEP
  
  12288:96NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:96NReJXJIwvJgVQSoPEzKkLXa
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  f3a76e96152f78dfc595c893cc231178.exe
- Size
  
  650KB
- MD5
  
  f3a76e96152f78dfc595c893cc231178
- SHA1
  
  efa55d03a82acba60aab912e10cc4c4cd816ce5c
- SHA256
  
  9dcfcbad0169efae8590a54b2747ef0f142c061e73325c57e759ba7c7521f596
- SHA512
  
  7621fe0c6235e40ea143654c2a2e41403f7b610f62b5cd22255432fe057068709b48f67b2832e524647ae0fcedb41b4dcf2d289b383aedc82635055cc7684757
- SSDEEP
  
  6144:ZtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCB:z6u7+487IFjvelQypyfy7CB
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  f3eedde12ec9a2f363c13d643bd2acdf.exe
- Size
  
  48KB
- MD5
  
  f3eedde12ec9a2f363c13d643bd2acdf
- SHA1
  
  2d53fef1c7b2036d4c25097fe1d3d5276cff9cb8
- SHA256
  
  63c8a594926959e99dbcaac2e4bdf923691373d432500ddc0572996bfb8e399e
- SHA512
  
  0f6f4ed01f591edb4565fd31169aebb3be2d2dec246459411c52db0c9c7168da4404d4657312c879980b524da6047d9a87b8a49bae5836bf40e9ebeb6f166a53
- SSDEEP
  
  768:p4Q66hONMScH5lT67gmvCrPz3uRr+Ubpi6yCAHBQSE+ZO+h+ArZ6T:pXOWpzPz3WrhbpryCAhQx+ZO+do
Score

10^/10

xworm defense_evasion discovery persistence ransomware rat trojan privilege_escalation
- Detect Xworm Payload
- UAC bypass
  defense_evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral29 behavioral30
- Target
  
  f3ef636642aed1dd87c2fc6ee6307e36.exe
- Size
  
  89KB
- MD5
  
  f3ef636642aed1dd87c2fc6ee6307e36
- SHA1
  
  72e007f5a29963808e9fdcfecdf2024838373d43
- SHA256
  
  d04269233c1dae486565f17a4e83c5f89463e8f070d1e91a2c9f736278bbb62f
- SHA512
  
  24af2746679a052e7842e5ab46007c470349163fa97e6e485b49b9d8e7eb8e9720b97e84b6b21f085b7f16868607110cb51ee93e2730703a153fe105ce912560
- SSDEEP
  
  768:XLq411eRpcnuo3jlvK/ikbDztVbFQ3WnAohKIn5:XLq4feRWuo35RwtzQ3WnAohKIn
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral31 behavioral32