asyncrat | bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186 | Triage

Submit
Reports

Overview

overview

Static

static

1

Playit Free.bat

windows10-2004-x64

Sharing

General

Target

Playit Free.bat
Size

292KB
Sample

240704-ql932sxdpp
MD5

2bac01a226b5c7b08de93311ab9905d5
SHA1

48144153d2ca3d9cc7e27506b3d1923c9d80cc7a
SHA256

bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186
SHA512

96f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6
SSDEEP

6144:JLbgUUyQ6VV3W7bmjOk8Cl/iZYwD6rjwY+H+4hjhphHCxsu:JLbgPyQ6z3DOERkDUIHLlJu

Score

10^/10

asyncrat xworm default execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Playit Free.bat

Resource

win10v2004-20240508-en

asyncrat xworm default execution rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Playit Free.bat
- Size
  
  292KB
- MD5
  
  2bac01a226b5c7b08de93311ab9905d5
- SHA1
  
  48144153d2ca3d9cc7e27506b3d1923c9d80cc7a
- SHA256
  
  bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186
- SHA512
  
  96f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6
- SSDEEP
  
  6144:JLbgUUyQ6VV3W7bmjOk8Cl/iZYwD6rjwY+H+4hjhphHCxsu:JLbgPyQ6z3DOERkDUIHLlJu
Score

10^/10

asyncrat xworm default execution rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionrattrojan

© 2018-2024

Terms | Privacy