XLMRat Writeup
XLMRat (AsyncRAT) — Network Forensics Writeup
Scenario
A compromised machine was flagged due to suspicious network traffic.
The objective of this analysis is to investigate the attack method, identify malicious payloads, and trace the timeline of events.
We focus on how the attacker gained access, the tools and techniques used, and the malware’s post-compromise behavior.
Q1) The attacker successfully executed a command to download the first stage of the malware.
What is the URL from which the first malware stage was installed?
Answer:
The malicious PowerShell command attempted to download from the server 45.126.209.4 on port 222, requesting the resource /mdm.jpg.
Although the extension was .jpg, the file actually contained an executable payload disguised as an image.
This is a common tactic used to bypass simple content filters.
The attacker executed an obfuscated PowerShell command to download the first stage of the malware. Analysis of the initial script (xlm.txt) revealed the following download location: Malware Stage 1 URL: http://45.126.209.4:222/mdm.jpg
Q2) Which hosting provider owns the associated IP address?
Answer:
In this question he need the Associated Hosting Provider (ISP): [Reliablesite.net]
Q3) By analyzing the malicious scripts, two payloads were identified: a loader and a secondary executable. What is the SHA256 of the malware executable?
Analysis of the downloaded file mdm.jpg revealed two payloads: a loader and a secondary executable.
After deobfuscation and extraction of the executable files
Answer:
The SHA256 hash of the extracted malware executable is:
1
1eb7b02e18f67420f42b1d94e74f3b6289d92672a0fb1786c30c03d68e81d798
This hash matches samples identified as AsyncRAT on public malware repositories.
Q4) What is the malware family label based on Alibaba?
Answer:
AsyncRat —
Q5 ) What is the timestamp of the malware’s creation?
Answer:
Ans: 2023-10-30 15:08
Q6 ) Which LOLBin is leveraged for stealthy process execution in this script? Provide the full path.
The attacker leveraged the RegSvcs.exe binary:
Then After Replacing the hashtag it will be like this
Answer:
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
This is a Living-off-the-Land Binary (LOLBIN) often abused to run malicious assemblies.
By relying on a signed Microsoft binary, the attacker attempted to evade process-based detection. —
Q7) The script is designed to drop several files. List the names of the files dropped by the script.
Answer:
The malware dropped several helper scripts to maintain execution:
The Files Are :
1
2
3
- Conted.ps1
- Conted.bat
- Conted.vbs
These files were used to reinvoke PowerShell, execute the payload, and establish persistence across reboots. —
Summary of Findings
The sample belongs to the AsyncRAT family.
AsyncRAT is a Remote Access Trojan (RAT) that provides attackers with the ability to remotely control infected systems.
Its capabilities include keylogging, file transfer, remote shell execution, screen capture, and persistence mechanisms.
It is widely used due to its open-source availability and flexibility.
- Initial Access: Obfuscated PowerShell command downloaded the first-stage payload (
mdm.jpg) fromhttp://45.126.209.4:222. - Payload Hash:
1eb7b02e18f67420f42b1d94e74f3b6289d92672a0fb1786c30c03d68e81d798. - Execution: Abused
RegSvcs.exe(LOLBIN) for stealthy execution. - Dropped Files:
Conted.ps1,Conted.bat,Conted.vbs. - C2 Server:
45.126.209.4:222. - Malware Family: AsyncRAT.
This analysis highlights how attackers use obfuscated PowerShell, disguised payloads, and LOLBIN abuse to establish and maintain control over compromised systems.
Documenting the infection chain and IOCs is essential for SOC teams to improve detection and response. —