General
-
Target
W092.vbs
-
Size
1KB
-
Sample
210814-1r8jqg5hf6
-
MD5
eaecbd393f2fffd8522e5d4c7b8b6f7d
-
SHA1
6a9ac84f1c4778cf41ef45b2906919f99a06acf5
-
SHA256
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
-
SHA512
8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae
Static task
static1
Behavioral task
behavioral1
Sample
W092.vbs
Resource
win7v20210408
Malware Config
Extracted
http://transfer.sh/1T8qkDx/ko.txt
Extracted
asyncrat
0.5.7B
asyncpc.duckdns.org:6650
asyncpc.duckdns.org:9034
asyncpc.duckdns.org:6890
asyncpc.duckdns.org:7829
13.77.222.211:6650
13.77.222.211:9034
13.77.222.211:6890
13.77.222.211:7829
AsyncMutex_6SI8OkPnk
-
aes_key
PYYzntkVFJfMofAe4qQYi6HmHf8Kj3BT
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
asyncpc.duckdns.org,13.77.222.211
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6650,9034,6890,7829
-
version
0.5.7B
Targets
-
-
Target
W092.vbs
-
Size
1KB
-
MD5
eaecbd393f2fffd8522e5d4c7b8b6f7d
-
SHA1
6a9ac84f1c4778cf41ef45b2906919f99a06acf5
-
SHA256
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
-
SHA512
8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae
-
BitRAT Payload
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Async RAT payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-