asyncrat | 760f5ddd00760be411967d77224b29a48e00e1eed0e978ba4017979595d1637e

Sharing

General

Target

archive_24.zip
Size

203.5MB
Sample

250322-gx1jbayzfx
MD5

beaa6f85fd6af6623ee04a9a1619d711
SHA1

9fa083b7ca68b271adfa1c8126c221e0512e7bcb
SHA256

760f5ddd00760be411967d77224b29a48e00e1eed0e978ba4017979595d1637e
SHA512

a1b946249de8ea0cce140c56d1496f80bbb4a80c3a93adbc69b362b790b6acf9a2ccb29ffa097491ab508e320c4b1e814b618d27c4251513055758d524923900
SSDEEP

3145728:aQya5qXjhZT4Z5l1TNnsYfkBOePGSUdxLbG9FWqLnveUrvOQ8ZlW/MXN2eCgkGt5:Wa5MZMLNniXGSQtb4jzveIpx0XYehkGD

Score

10^/10

Malware Config

Extracted

Family

xworm

147.185.221.27:2926

probably-giants.gl.at.ply.gg:5628

many-bolivia.gl.at.ply.gg:3891

Mutex

gNUymsZlOwOSH86A

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Extracted

Family

xworm

Version

5.0

127.0.0.1:1603

morning-ultimately.gl.at.ply.gg:1603

Mutex

nbqMp6kQB9OaOMSH

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Rats

45.137.70.108:6125

Mutex

ozbvhdycvmudlrbji

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Targets

- Target
  
  63bc6776b78545b5e68372b858dc903b.exe
- Size
  
  1.0MB
- MD5
  
  63bc6776b78545b5e68372b858dc903b
- SHA1
  
  4df37b73a59c731986795a5fe98ea17ce02ce60c
- SHA256
  
  91b1c3a1d7fc7cbaa49733458716c2f8bd61975b26804480f10888828b3065a8
- SHA512
  
  3e6295a4847adfddee6380a065e28119f021d3ae0efdc33d9bbf18e9e069f8a90f4bd60450f4964945afe86709624497e89bb471ea3aa1650b7e18a078631241
- SSDEEP
  
  12288:iz7IFjvelQypyfy7z6u7+4DvbMUsIGoji1:iz0FfMz6TEbMUske1
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75.exe
- Size
  
  1.9MB
- MD5
  
  75fb0392f18c15fad9c774931e0d9958
- SHA1
  
  100648ec8d8a1e7929dcba0d3bd40967879feb3f
- SHA256
  
  641434cfae2a1d91473c0acaa431299740a85fa7008a30e2cfa100dba19e4a75
- SHA512
  
  707a0b0eaca939144f2f22bc76d030f6365a51fb4a295d5a17674420c910a71b68ddea6153bfc75a873f86d142ef02a085d019c2f363a3f3e4a280aaceefec32
- SSDEEP
  
  24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  642fefb64c917e4bfd08481bb0727b0c.exe
- Size
  
  34KB
- MD5
  
  642fefb64c917e4bfd08481bb0727b0c
- SHA1
  
  17dad311c85853e4592769d15508d5fd562c8f21
- SHA256
  
  7c4df939396840b23f105b1bf45333f1f382adbbfc886f930e8e1f0384291e3a
- SHA512
  
  aa192797b25be45469e359602ba24837d967fc04e4cafc136998a4b7c39452a7227a481a7792e9af68bd81a5be8bf0e82cf304d50c9e9ba70a3d17a78edc86f1
- SSDEEP
  
  768:tVMy/GVquW7DizR4oa5Ooi/OQFyH9K16WO/h1bEs:LioDS4OoAJFa9K16WO/nEs
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  6433ad2b9da636f9059c27cf6a0f9a59.exe
- Size
  
  53KB
- MD5
  
  6433ad2b9da636f9059c27cf6a0f9a59
- SHA1
  
  3a9c70803025518d0b2087b730ce68b4b3a753ac
- SHA256
  
  82ad7e4d268a738b7c2ad5f1a621af79444ab5f7c63a894e074e1ad306ce31bc
- SHA512
  
  29ce144a51ed0fff5d9f1fb85a9df1238d7b4e4648034245c9a0bbe6e06d45a989645dab5f72d2a1040a7aea074f7de86b1f95a7405b628a802b4039d948ae6b
- SSDEEP
  
  768:FnfiTGjiKEuwrv0UfYm6F2yyVrbmpJQvrS51thJOd82o9Zesp2:Fn6TGBETP6cbbmpJQTStbOc90sp2
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  64402f0d8e48be50cf9751b33f85d1c0.exe
- Size
  
  5.9MB
- MD5
  
  64402f0d8e48be50cf9751b33f85d1c0
- SHA1
  
  4f8de3bc5101be29cd10a767de05a8d2dc3c6988
- SHA256
  
  3ce38013669a1e91dc5222723bfc954c695fc08a3efa33bbe99076a9608efc64
- SHA512
  
  6e697cd890a95e87761ab0ac6e818a90980d1a0d2e80e03d77d29888a852d671e82210f05b0adba780db46be4f7af966eb2abf7372972ccfaf7355a8f7e651f7
- SSDEEP
  
  98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4C:xyeU11Rvqmu8TWKnF6N/1wb
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  6443d92f8c4431775845dd6d68d6cdeab6453cd51c27f917256b59ea5503dbff.exe
- Size
  
  402KB
- MD5
  
  1239250e00e12134114d4e2db1a01919
- SHA1
  
  21703d663fc91ba5df42436f5ed882723916041c
- SHA256
  
  6443d92f8c4431775845dd6d68d6cdeab6453cd51c27f917256b59ea5503dbff
- SHA512
  
  4703ac430a44bc943b92a9b80877407df50c0e02ab687eb9d3c8b483ba1f8dc0774bc36fd26fe1c36e0c9960a6ca16dc88fa0506f82d0ccb883255d964fe1f79
- SSDEEP
  
  6144:78AVcrit0NZuJl1e6VlWT8b9vb+zE1P78doDbG5/4/1V1hQ:78A+GhPVle8Ezbdoup4tV1hQ
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  647ab91c9355e42a7d39ffda3cedfa52.exe
- Size
  
  49KB
- MD5
  
  647ab91c9355e42a7d39ffda3cedfa52
- SHA1
  
  ec60b03c8aa7adcb87ea27dc41e1e919cdbc8f86
- SHA256
  
  a7239f12650ce4e8cff961805c83b26c66385ada6060016ec5b5355c103a4153
- SHA512
  
  680f0fb91ff4ef63a4381c6c0c1abc3d3996753ed9ff59c8754aac941ae3a8648e7129781bb98168ef208360c66660d7589d5756542e8f6773ef9e62f44028e1
- SSDEEP
  
  768:FCnWZWFTwL7wuikj4ey3aIKKbpxhgiEDXbOfC18kE1Gb3k:FOpwLV9ITpxETbOqE1Gb3k
Score

10^/10

defense_evasion evasion persistence privilege_escalation trojan
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- UAC bypass
  defense_evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Identifies Xen via ACPI registry values (likely anti-VM)
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Disables use of System Restore points
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Checks whether UAC is enabled
  defense_evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
behavioral13 behavioral14
- Target
  
  64a6177287d88d0d420ed321ca3a7a447d4458564f7297262bfa96b77107e6fd.exe
- Size
  
  16.4MB
- MD5
  
  f7006f7accfd64461d34036e94147f14
- SHA1
  
  d8b53e88fd1aad097a69172a190e9ab3718198c4
- SHA256
  
  64a6177287d88d0d420ed321ca3a7a447d4458564f7297262bfa96b77107e6fd
- SHA512
  
  43252c0ff39762d427759f5086c05c7d6f751562584f36cf99d83aaf5db6d52a64838ca93a8c96efc239889775063c9ba3e7b2d9102ea4a2664d41196f663f1c
- SSDEEP
  
  196608:hPcX6QqOyjr2LF3Ye6YmnwqdU142UkZG7xKO/:s1cjSLFoBYmn5U1P1ZG7xK
Score

1^/10
behavioral15 behavioral16
- Target
  
  64cb9bc958e235b6acb2da12523bf9bf.exe
- Size
  
  40KB
- MD5
  
  64cb9bc958e235b6acb2da12523bf9bf
- SHA1
  
  8facc54749df5a9495e8605d65272f6cda6200c2
- SHA256
  
  dfa909b7780dc7b12edb7524fc475488631133dbd13254ba612c5454806cdda8
- SHA512
  
  003d9877531e4bdccec05367ed0af18fdae7832711c685f7fabfc1aa2c8e1b58e233140ef286f0881d6b4f97cd1a67dacd50bef43725147664b20e1711b5e977
- SSDEEP
  
  768:sKMUQPak9okQgn4MUy2AbxkE9JX4h7XVLwa4CO1cFRhW2sIPvWhPR3:VMUBFgF2EkEvXo7twaX+cFRhW2sMv8PN
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  64d77182d5d559f24eac8d7dc728bb9a.exe
- Size
  
  78KB
- MD5
  
  64d77182d5d559f24eac8d7dc728bb9a
- SHA1
  
  80d3c4c71adfb2a675b2322d4fad6122c4c0ff11
- SHA256
  
  93cddead5db08cea0170a9ab0cab8cab6dadce110c8e0b2a013c050a0b4a818b
- SHA512
  
  24e3982c0b1928c2641d92fe22cbe4ead35aff1e547b949901cceb45e48f12e29fb8903cb20e3077fbcf87f4e322456a651b3e5a3a204e0cdf8ca66417cb11ac
- SSDEEP
  
  1536:esHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtx9/61Jj:esHY53Ln7N041Qqhgx9/q
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  64f4533af02b80feba9bf2a759275bb2.exe
- Size
  
  2.0MB
- MD5
  
  64f4533af02b80feba9bf2a759275bb2
- SHA1
  
  5742cba7372f6d888288492813ce951414c96d6c
- SHA256
  
  446dfecee4d61e90d0396ef508095580bd470f1df0e981e97bdff80e8da8f61a
- SHA512
  
  9e820e85076b895c4c809af8ef5443d01e4d64da904c1b588d3ea8379e39dfc6008228902d06d7121695089c711d5a7d45cf52157f21b05bc118465e6b871d72
- SSDEEP
  
  49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral21 behavioral22
- Target
  
  650411faaa2265f31bf28d4276b14f82.exe
- Size
  
  33KB
- MD5
  
  650411faaa2265f31bf28d4276b14f82
- SHA1
  
  63c4c561a957bcaf4633e945335b7cf4410d8629
- SHA256
  
  cdffc95f20ed3bd37d611caad27f25f5992633952cf778c8dc077c072be0ea0e
- SHA512
  
  759180a8e6678b726f8940b31860ef73fee44676827d4dda1c99692ed046d38ecc7071ef8f9c84f9f5facfab49622bdb37c88f9568dad7e1298837f460b5f664
- SSDEEP
  
  384:RfP/SG1aTTcPTEUV75LC2SM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99IkuiR:R11weF3X42JiB70lVF49j6OjhUbc
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
behavioral23 behavioral24
- Target
  
  65099e4d1aa799000e529ebfb194fca3.exe
- Size
  
  7.9MB
- MD5
  
  65099e4d1aa799000e529ebfb194fca3
- SHA1
  
  2138fa1dea5f14a60aa187a8a7e4420f33071517
- SHA256
  
  4962734497a69d1a6ed08dd33ee7d855703b0fecea58d77cfb4974a43974d865
- SHA512
  
  a1494b92d296d58b1f6b87a6c17884fa32b9cac458e0f7299ee1aba19c4171f0376bb9c0c666788798587e34151ff7a43777ca3fdb355b7cf59c1c81f8d5b159
- SSDEEP
  
  196608:+9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBW:+mqbhrEbn87eZsFmq+y
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral25 behavioral26
- Target
  
  6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
- Size
  
  1.9MB
- MD5
  
  6b2fc4f837857e149b08e54742b10c30
- SHA1
  
  b5cca5b8fd192a47b21f1521c883d8aa91a36ce2
- SHA256
  
  6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3
- SHA512
  
  208c6534ce6c3ee3bc9457b5404ee58b1114138eb585ef33071a73347f3c93175944fb5a207f1e4543a3457bcbbc55834b4c1e4c96a14b80a46b0f9bb054cc02
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral27 behavioral28
- Target
  
  656d9295309f4be629d6be73cbe53495b77b1a0cfc3a693e73de5ef3b39700ab.exe
- Size
  
  689KB
- MD5
  
  d80726631dddc649282d06db3bf84ef8
- SHA1
  
  861fe7cba4f80722099c80d70cfe21e63c04c7fb
- SHA256
  
  656d9295309f4be629d6be73cbe53495b77b1a0cfc3a693e73de5ef3b39700ab
- SHA512
  
  458be954fce15f30592c980c461557424b972bd7e518a09acdc961089f1e6d9c9aec3af01eb37f4aa03f3089c10e028f5c0826fdbed7ed94a4d69e91d504da4c
- SSDEEP
  
  6144:VtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rCCR:H6u7+487IFjvelQypyfy7CCR
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  65720da539dfc37aaa5a4ae46f696cb1.exe
- Size
  
  84KB
- MD5
  
  65720da539dfc37aaa5a4ae46f696cb1
- SHA1
  
  efb7e5c2d58fa730104bcbdcf4671338512c8b3f
- SHA256
  
  98f400fbda00f5ebe20726c6b9162c903133abce2a89649c845911d40590ecef
- SHA512
  
  b40d1021bae811f6f425b09ecb3613364729e8583be91288b97fdc5609c5c1d944be53134c2d9d6ab0adb67a852e92d7f60a5e38c2416aee1bc9f392497567c2
- SSDEEP
  
  1536:drqA8L50XtbAvu6lSb+zd82CWt6hyFsTP3OtWdxRYZ8Gbdq5:dqaRlb+p82CbT3OtWdxRnG85
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32