General

  • Target

    W092.vbs

  • Size

    1KB

  • Sample

    210814-1r8jqg5hf6

  • MD5

    eaecbd393f2fffd8522e5d4c7b8b6f7d

  • SHA1

    6a9ac84f1c4778cf41ef45b2906919f99a06acf5

  • SHA256

    414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd

  • SHA512

    8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://transfer.sh/1T8qkDx/ko.txt

Extracted

Family

asyncrat

Version

0.5.7B

C2

asyncpc.duckdns.org:6650

asyncpc.duckdns.org:9034

asyncpc.duckdns.org:6890

asyncpc.duckdns.org:7829

13.77.222.211:6650

13.77.222.211:9034

13.77.222.211:6890

13.77.222.211:7829

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    PYYzntkVFJfMofAe4qQYi6HmHf8Kj3BT

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    asyncpc.duckdns.org,13.77.222.211

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6650,9034,6890,7829

  • version

    0.5.7B

aes.plain

Targets

    • Target

      W092.vbs

    • Size

      1KB

    • MD5

      eaecbd393f2fffd8522e5d4c7b8b6f7d

    • SHA1

      6a9ac84f1c4778cf41ef45b2906919f99a06acf5

    • SHA256

      414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd

    • SHA512

      8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT Payload

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Async RAT payload

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks