asyncrat | 1bc1a8f37e99916432c45d0793edb90034223cd77004eb182c23f8a3328fc2f3 | Triage

Submit
Reports

Overview

overview

Static

static

1

Custom Browser.cmd

windows10-2004-x64

Sharing

General

Target

Custom Browser.cmd
Size

292KB
Sample

240704-vz54gazfjk
MD5

fd8aea3cd998330750841e3ecdac4e19
SHA1

c395986291831a1bcbdee268bb52dc8351e2d071
SHA256

1bc1a8f37e99916432c45d0793edb90034223cd77004eb182c23f8a3328fc2f3
SHA512

17c00003e52d486b58f1d0fc730bd132b799715169cd2360eeea74a2d92d98fc4c5b8cb00fe29a6c94d2a2401cfcc895a9ec1072eb1f256a6201de33c57644b2
SSDEEP

6144:OTJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OTZSsV88ERrSP+7EQ20QFwJW

Score

10^/10

asyncrat xworm default execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Custom Browser.cmd

Resource

win10v2004-20240611-en

asyncrat xworm default execution rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Custom Browser.cmd
- Size
  
  292KB
- MD5
  
  fd8aea3cd998330750841e3ecdac4e19
- SHA1
  
  c395986291831a1bcbdee268bb52dc8351e2d071
- SHA256
  
  1bc1a8f37e99916432c45d0793edb90034223cd77004eb182c23f8a3328fc2f3
- SHA512
  
  17c00003e52d486b58f1d0fc730bd132b799715169cd2360eeea74a2d92d98fc4c5b8cb00fe29a6c94d2a2401cfcc895a9ec1072eb1f256a6201de33c57644b2
- SSDEEP
  
  6144:OTJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OTZSsV88ERrSP+7EQ20QFwJW
Score

10^/10

asyncrat xworm default execution rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionrattrojan

© 2018-2024

Terms | Privacy