General
-
Target
Required-document.vbs
-
Size
59KB
-
Sample
220227-qlyd9adefp
-
MD5
a3b2efc3e12c3dd4f6c343d8e768a01c
-
SHA1
72cdb5d6fd134ec0920cb8b4342adf0e3a961025
-
SHA256
1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21
-
SHA512
089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03
Static task
static1
Behavioral task
behavioral1
Sample
Required-document.vbs
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
Required-document.vbs
Resource
win10v2004-en-20220112
Malware Config
Extracted
http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt
Extracted
http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt
Extracted
http://ec2-3-235-29-66.compute-1.amazonaws.com/test/AAA.txt
Extracted
vjw0rm
http://invoice-update.myiphost.com:1188
Targets
-
-
Target
Required-document.vbs
-
Size
59KB
-
MD5
a3b2efc3e12c3dd4f6c343d8e768a01c
-
SHA1
72cdb5d6fd134ec0920cb8b4342adf0e3a961025
-
SHA256
1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21
-
SHA512
089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-