Overview

overview

10

Static

static

10

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...NC.exe

windows10-2004-x64

8

XWorm-Rat-...er.exe

windows10-2004-x64

1

XWorm-Rat-...UI.exe

windows10-2004-x64

10

XWorm-Rat-...ib.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm-Rat-Remote-Administration-Tool--main.zip

  • Size

    5.0MB

  • Sample

    240628-ch78dsvhkf

  • MD5

    ed997c518b1affa39a5db6d5e1e38874

  • SHA1

    d0355de864604e0ba04d4d79753ee926b197f9cf

  • SHA256

    8a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556

  • SHA512

    50699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7

  • SSDEEP

    98304:7jsOrfOedjeCSFFEYhqox9mv7Ys7q2f2AIRUeIV1iwLZnnpha75mlf2:7jLSCSFFEYrbA77q2+BS5nLbEX

Score
10/10
asyncratdefagilenetexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

def

C2

37.18.62.18:8060

Mutex

era2312swe12-1213rsgdkms23

Attributes
  • delay

    1

  • install

    true

  • install_file

    CCXProcess.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/DisAsClaimer.exe

    • Size

      12KB

    • MD5

      f922206889c896cf2d86f21e9f9db7db

    • SHA1

      046b00f2edb34982db266d903627ced283f4a5ea

    • SHA256

      1ac4832667db7044b1077e447d587a14dcd1270e71b8d34157a77d515b61c4b3

    • SHA512

      abe82360ab14ed1e0c0c25da46a7558638671de1701e383b7a9bc122edecbc1eb13c760835a7e626a7d3ba326d4705acb53987e61d45332027913512befc4965

    • SSDEEP

      192:wLwX9CLPN0LjrJUMmYVY2aq3xWrhSaadrq8uSF3u:owNCLPN0/9UMme313UrhSJUSF

    Score
    1/10
    behavioral1

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XHVNC.exe

    • Size

      1.9MB

    • MD5

      4904329d091687c9deb08d9bd7282e77

    • SHA1

      bcf7fcebb52cad605cb4de65bdd077e600475cc7

    • SHA256

      e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd

    • SHA512

      b7ba131e9959f2f76aa3008711db9e6f2c4753a232140368be5c8388ab0e25154a31e579ef87fe01a3e4bc83402170bb9fbf242c6f01528455246b793e03fdfb

    • SSDEEP

      24576:CmErCsazef+APWb6+CILRbTcJiWevOIWr9Lrdl5p0WdaMCtGjC+Ub:CPF+CWb6+CILRncZe65rb5p0ehVCr

    Score
    8/10
    agilenetexecutionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XWorm-RAT-V2.1-builder.exe

    • Size

      3.2MB

    • MD5

      339b7f92641c0f5161731fc681aaeb3a

    • SHA1

      21d2d89e9ade90df638f33d314ac68e30f6aa52e

    • SHA256

      b6fb77dfd00695678b06ed122523a0b067077fe69113f395661cd3be748d9f7c

    • SHA512

      58e5ff1d92be52df114b7f060d700823dff9158ec765cf9b19ab9df0ace2669405467f49d1bd56ce04871683fbcbaace5976ebdbd1575490ff411333a3905134

    • SSDEEP

      24576:o08GeFzFDzPLDP8c1uAowyLQfB/eVjKIOQaBcM707ae8gpeJF+kR8YD2Y35/5Mb6:4/TjrHWKWDOQko29ueJsq8z

    Score
    1/10
    behavioral3

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/XWormUI.exe

    • Size

      52KB

    • MD5

      0c2d61d64f4325ca752202e5bf792e9e

    • SHA1

      e7655910a124dd10beb774a693f7caccf849b438

    • SHA256

      d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1

    • SHA512

      1205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46

    • SSDEEP

      768:mqUR8bIL+Cyq+DiZtelDSN+iV08Ybygem++2O3vEgK/Jd/yVNNECVc6KN:mxIeZtKDs4zb1uBO3nkJIrqCVclN

    Score
    10/10
    asyncratdefrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral4

    • Target

      XWorm-Rat-Remote-Administration-Tool--main/dnlib.exe

    • Size

      12KB

    • MD5

      6967b97ce4ff4524883a196a97736275

    • SHA1

      6fdf2b9adc16b40a06bacc7db0abee917ef4abd3

    • SHA256

      e2bddf56324addac02678a7fd8d9c3da24ad55132883ad826a1a60eaf4e4a034

    • SHA512

      c71525d49e36975cb43535cff5176409163b14f53b644e3d161fd56f7514f0affbda051541a07d9af4cdc45a564dfad20a23584701499a0f03e531219c9f72be

    • SSDEEP

      192:zLlo6IXsbK9CLPN0LWyJUMmYVY2QQq33WrmRaadrq8uSF3:PljIeyCLPN0CUUMme3o3mrmRJUSF

    Score
    10/10
    asyncratdefrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks