Post

Incident Investigation Report: XLMRat — Tracing a Multi-Stage AsyncRAT Delivery Chain

Posted
By El OMARI Zakaria
6 min read
Incident Investigation Report: XLMRat — Tracing a Multi-Stage AsyncRAT Delivery Chain

Platform: CyberDefenders Challenge: XLMRat Category: Malware Analysis / Network Forensics Difficulty: Medium Tools: Wireshark, CyberChef, VirusTotal, Static Code Analysis Achievement: Proof of Completion

1. Executive Summary

Incident Type: Multi-Stage Malware Delivery / Remote Access Trojan

Malware Family: AsyncRAT (via XLM macro delivery chain)

A compromised endpoint was flagged for unusual outbound network traffic on a non-standard port. Forensic analysis of the captured PCAP revealed a sophisticated multi-stage delivery chain: an XLM macro dropper retrieved a disguised PowerShell script (mdm.jpg) from an external VPS over port 222. The script performed process hollowing into RegSvcs.exe — a legitimate Windows binary — to deploy AsyncRAT entirely in memory, leaving no traditional executable artifact. Three persistence files were also dropped to disk to guarantee re-execution across reboots.

CyberDefenders XLMRat Lab overview page showing category Malware Analysis, tools Wireshark and CyberChef, and the scenario describing suspicious network traffic from a compromised host.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
Staging Server45.126.209.4:222VPS hosting mdm.jpg payload on non-standard port
Payload URLhttp://45.126.209.4:222/mdm.jpgInitial malware download
Hosting ProviderReliableSite.Net LLCVPS provider used for staging
Payload SHA-2561eb7b02e18f67420f42b1d94e74f3b6289d92672a0fb1786c30c03d68e81d798AsyncRAT final payload hash
Malware FamilyAsyncRATBackdoor:MSIL/AsyncRat.A2786761
Compile Timestamp2023-10-30 15:08:44 UTCPE metadata from VirusTotal
Injected ProcessC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLOLBin used for process hollowing
Dropped FilesConted.ps1, Conted.bat, Conted.vbsPersistence files in C:\Users\Public\

MITRE ATT&CK Mapping Overview

TacticTechniqueID
ExecutionPowerShellT1059.001
ExecutionXLM MacrosT1059.005
Defense EvasionProcess HollowingT1055.012
Defense EvasionMasquerading (mdm.jpg)T1036.002
Defense EvasionLiving Off the Land — RegSvcs.exeT1218.009
PersistenceBoot Autostart — VBS/BATT1547.001
Command & ControlNon-Standard Port (222)T1571

2. Phase 1: Network Triage — Identifying the Staging Server (Questions 1 & 2)

Objective: Analyze the PCAP to identify the initial malware download URL and profile the hosting infrastructure.

Opening the PCAP in Wireshark and filtering for HTTP traffic immediately surfaces an anomalous GET request. The compromised host made an outbound connection on port 222 — not the standard port 80 or 443 — to retrieve a file named mdm.jpg.

Wireshark PCAP with HTTP filter applied, showing GET request from the compromised host to 45.126.209.4:222 to download mdm.jpg, followed by the 200 OK response delivering the payload.

Despite the .jpg extension — a classic masquerading technique to bypass extension-based filtering and deceive analysts at first glance — this is not an image file. The content-type and subsequent analysis confirms it as an executable PowerShell script.

Querying 45.126.209.4 against OSINT and IP lookup tools reveals the staging server was hosted by ReliableSite.Net LLC — a VPS provider frequently abused by threat actors for its permissive hosting policies and resistance to takedown requests.

Answer Q1

What is the URL of the initial malware staging server?

http://45.126.209.4:222/mdm.jpg

Answer Q2

What is the name of the hosting company for the malicious IP?

reliablesite.net

3. Phase 2: Static Code Analysis — Deobfuscating the Payload (Questions 3, 4 & 5)

Objective: Extract the AsyncRAT payload from the obfuscated mdm.jpg script, generate its hash, and identify the malware family and compile timestamp.

The mdm.jpg script contains two large hexadecimal arrays: $hexString_pe (the loader/injector) and $hexString_bbb (the actual AsyncRAT payload). Underscore delimiters separate the hex values — a trivial obfuscation that requires a Find/Replace pass before decoding.

Deobfuscated PowerShell payload from mdm.jpg showing the two hex-encoded arrays ($hexString_pe and $hexString_bbb) and the reflective loading logic that injects the payload into a suspended RegSvcs.exe process.

XLM macro source file (xlm.txt) containing an obfuscated character array that reconstructs the staging URL at runtime to evade static detection signatures.

Using CyberChef, the workflow to extract the hash is:

  1. Extract the $hexString_bbb content
  2. Apply Find/Replace to remove underscore delimiters
  3. Apply From Hex to convert to raw bytes
  4. Apply SHA-256 to generate the cryptographic hash

CyberChef recipe showing Find/Replace to strip underscore delimiters, followed by From Hex conversion, followed by SHA-256 hash generation — yielding the payload's fingerprint: 1eb7b02e...

Querying this hash on VirusTotal returns a detection ratio of 60 out of 72 vendors. Alibaba’s signature — Backdoor:MSIL/AsyncRat.A2786761 — confirms the malware family. The Details tab in VirusTotal surfaces the PE compilation timestamp embedded by the developer.

VirusTotal detection page for the AsyncRAT payload hash showing 60/72 vendor detections, Alibaba classification as Backdoor:MSIL/AsyncRat.A2786761, and community tags identifying this as AsyncRAT.

VirusTotal Details tab showing PE metadata for the AsyncRAT sample, including compilation timestamp of 2023-10-30 15:08:44 UTC.

Answer Q3

What is the SHA-256 hash of the malware executable?

1eb7b02e18f67420f42b1d94e74f3b6289d92672a0fb1786c30c03d68e81d798

Answer Q4

What is the malware family identified by Alibaba?

AsyncRAT

Answer Q5

What is the malware’s creation timestamp?

2023-10-30 15:08:44

4. Phase 3: Process Hollowing — Identifying the LOLBin (Question 6)

Objective: Identify the legitimate Windows binary that the loader targets for process hollowing to achieve stealthy execution.

The loader script contains a critical file path, but it is obfuscated using hash characters (#) inserted throughout the string — a simple but effective technique to defeat string-based static detection:

CyberChef Find/Replace recipe with a regex pattern stripping the hash character obfuscation from the file path string, revealing C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe.

After stripping the hashes, the target binary is revealed: RegSvcs.exe — the .NET COM+ Component Services Registrar. This is a legitimate, Microsoft-signed utility that is part of the .NET Framework. The malware launches RegSvcs.exe in a suspended state, then injects the AsyncRAT payload into its memory space using process hollowing. Security tools monitoring process names see a recognized Microsoft binary making network connections — far less suspicious than an unknown .exe.

Analyst Note: Living-Off-the-Land binaries (LOLBins) like RegSvcs.exe are a cornerstone of modern malware defense evasion. Application whitelisting that only checks binary signatures is insufficient — behavioral monitoring for RegSvcs.exe making outbound network connections to non-Microsoft IPs should be an automatic alert.

Answer Q6

What is the full path of the LOLBin abused for process hollowing?

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

5. Phase 4: Persistence Artifacts (Question 7)

Objective: Identify the files dropped to disk for persistence beyond the in-memory execution.

While the primary AsyncRAT payload is executed in memory via process hollowing, the bottom half of the mdm.jpg script contains routines writing auxiliary files to disk. Using [IO.File]::WriteAllText, it drops three files into C:\Users\Public\:

PowerShell code from mdm.jpg using IO.File.WriteAllText to drop Conted.ps1, Conted.bat, and Conted.vbs into the C:\Users\Public\ directory, establishing a persistence chain.

VBScript content of Conted.vbs using WScript.Shell.Run with the vbHide constant to silently execute Conted.bat on system startup, completing the persistence chain.

The execution chain is: Conted.vbs uses WScript.Shell.Run with vbHide (window hidden) to launch Conted.bat, which in turn executes Conted.ps1 — the PowerShell persistence re-runner. This guarantees AsyncRAT survives reboots without requiring user interaction.

Answer Q7

What are the three files dropped for persistence?

Conted.ps1, Conted.bat, Conted.vbs

6. Conclusion

The XLMRat investigation demonstrates a sophisticated multi-stage malware delivery chain designed to evade detection at every stage. Key findings:

  1. Initial Stage: XLM macro dropped mdm.jpg — a disguised PowerShell script — from a VPS on port 222 (non-standard port to bypass proxy inspection).
  2. Obfuscation: Hex arrays with underscore delimiters and hash-character path obfuscation required manual CyberChef decoding.
  3. Execution: Process hollowing into the trusted RegSvcs.exe LOLBin for completely memory-resident execution.
  4. Persistence: Three files (Conted.vbs/bat/ps1) dropped to C:\Users\Public\ for guaranteed re-execution.
  5. Payload: AsyncRAT — a full-featured Remote Access Trojan capable of keylogging, screen capture, file transfer, and lateral movement.

Key Takeaways for the SOC:

  1. Never trust file extensions: mdm.jpg was a PowerShell script. Implement MIME type validation at the web proxy layer to catch disguised payloads regardless of extension.
  2. Non-standard ports are a detection opportunity: Port 222 outbound from a workstation should generate an immediate alert. Deploy egress filtering with strict allowlisting.
  3. LOLBins require behavioral context: RegSvcs.exe making outbound TCP connections to non-Microsoft IPs is highly anomalous. Monitor process behavior, not just process names.
  4. Multi-stage analysis is essential: Network (Wireshark) → Static Code → Hash Intelligence (VirusTotal) → Behavioral (dropped files) is the correct investigative sequence for this class of threat.

Analysis Date: April 8, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Malware Analysis, Network Forensics
cyberdefenders asyncrat xlmrat powershell process-hollowing wireshark lolbin obfuscation virustotal cyberchef
This post is licensed under CC BY 4.0 by the author.