> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/projects/xlmrat-lab-malware-analysis-and-network-forensics.md). # XLMRat Lab β€” Malware Analysis and Network Forensics **Category:** Network Forensics\ **Difficulty:** Easy\ **Estimated Time:** \~30 minutes **MITRE ATT\&CK Tactics:** * **Execution (T1204, T1059)** * **Defense Evasion (T1218, T1027)** ### 🎯 Objective Analyze captured network traffic to identify malware delivery methods, reverse-engineer the obfuscated script, and trace attacker techniques using MITRE ATT\&CK. Emphasis is placed on: * LOLBin-based stealth execution * Reflective code loading * Script deobfuscation * Identifying persistence mechanisms ### πŸ“‚ Initial Analysis The `.pcap` file, once extracted using the password `cyberdefenders.org`, revealed HTTP traffic leading to a suspicious file download. Inspection using **Wireshark** isolated the following suspicious request: ``` GET /mdm.jpg HTTP/1.1 Host: 45.126.209.4:222 ```
#### βœ… Q1: Malware Download URL ``` http://45.126.209.4:222/mdm.jpg ``` *** ### 🏒 IP Attribution Running the IP `45.126.209.4` through VirusTotal and WHOIS pointed to the hosting provider:
#### βœ… Q2: Hosting Provider ``` reliablesite.net ``` *** ### πŸ” Payload & SHA256 Two payloads were identified: * A .NET loader * A secondary executable Using **CyberChef** to decode the embedded hex blobs and analyzing the extracted binary on **VirusTotal**, we get:
#### βœ… Q3: SHA256 of Malware ``` 1eb7b02e18f67420f42b1d94e74f3b6289d92672a0fb1786c30c03d68e81d798 ``` *** ### 🧬 Malware Family Attribution VirusTotal tagged the binary under several AV engines. **Alibaba’s** label classified it as:
#### βœ… Q4: Malware Family ``` AsyncRat ``` *** ### πŸ“… Timestamps Looking into the executable's PE headers (via PowerShell or `pefile.py`), the compile timestamp was extracted as:
#### βœ… Q5: Malware Creation Timestamp ``` 2023-10-30 15:08 ``` *** ### 🧨 Stealthy Execution via LOLBin The deobfuscated PowerShell script showed reflective loading using: This .NET binary (`RegSvcs.exe`) is a known **LOLBIN**, abused for stealthy execution of .NET payloads.
#### πŸ” Analyzing the Script Here's a cleaned version of the relevant PowerShell: ```powershell powershellCopyEdit$NK = $Fu.GetType('NewPE2.PE') $MZ = $NK.GetMethod('Execute') $NA = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' ``` * `$NA` becomes: ``` makefileCopyEditC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe ``` This path points to **`RegSvcs.exe`**, a legitimate .NET utility used to register .NET assemblies. #### βœ… Q6: LOLBin Used ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe ``` *** ### πŸ“Ž Dropped Artifacts & Persistence The script dropped three files to `C:\Users\Public\` for persistent execution: * `Conted.ps1` β€” main PowerShell payload * `Conted.bat` β€” batch loader with stealth flags * `Conted.vbs` β€” VBS wrapper to run `.bat` silently Scheduled Task β€œ**Update Edge**” was created to run `Conted.vbs` every 2 minutes.
#### βœ… Q7: Dropped Files ``` Conted.ps1, Conted.bat, Conted.vbs ``` *** ### πŸ›‘οΈ MITRE ATT\&CK Mapping | Tactic | Technique | Details | | ------------------- | -------------------- | ----------------------------------------- | | **Execution** | `T1059`, `T1204` | PowerShell, script execution | | **Defense Evasion** | `T1218.009`, `T1027` | RegSvcs (LOLBIN), obfuscated script blobs | | **Persistence** | `T1053.005` | Scheduled Task (Update Edge) | *** ### βœ… Conclusion This lab simulated a real-world AsyncRAT delivery using script obfuscation, LOLBin abuse, and scheduled tasks for persistence. It provided an excellent scenario for learning: * Network traffic analysis * Payload reconstruction * LOLBAS exploitation * Persistence mapping Highly recommended for anyone learning Windows-based malware behaviors or blue team response. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://omar-4.gitbook.io/omar-khalid/pages/projects/xlmrat-lab-malware-analysis-and-network-forensics.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.