asyncrat | ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f | Triage

Submit
Reports

Overview

overview

Static

static

1

wininit.bat

windows10-2004-x64

Sharing

General

Target

wininit.bat
Size

292KB
Sample

240704-yrjr2sydkg
MD5

cf1da3f20349f15bfacf7c271d60684c
SHA1

ad4a58069d800ca900c5752929aa92d5d87fe3c7
SHA256

ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
SHA512

8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
SSDEEP

6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW

Score

10^/10

asyncrat xworm default execution ransomware rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

wininit.bat

Resource

win10v2004-20240704-en

asyncrat xworm default execution ransomware rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  wininit.bat
- Size
  
  292KB
- MD5
  
  cf1da3f20349f15bfacf7c271d60684c
- SHA1
  
  ad4a58069d800ca900c5752929aa92d5d87fe3c7
- SHA256
  
  ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
- SHA512
  
  8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
- SSDEEP
  
  6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW
Score

10^/10

asyncrat xworm default execution ransomware rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Resource Development

Reconnaissance

Tasks

static1

behavioral1

asyncratxwormdefaultexecutionransomwarerattrojan

© 2018-2024

Terms | Privacy