General

  • Target

    WorkScope Details.vbs

  • Size

    31KB

  • Sample

    220415-pffftaghhr

  • MD5

    0284695a0af70e045cf579e015ebbdf4

  • SHA1

    f0c20148cf96f0c81463e0224d80d4c67d7c1a04

  • SHA256

    78a742710aa79e0574a6faefecfaf851b64043889e75768f5de091cfc5a21dc0

  • SHA512

    6e54499711e1a0ee1ecd4679d7584027a424ba496d0bca868cc8e8d13d47097c4f0d65c0e4277c1457371b37e0c525a8ade33860cabd4e8869a438282af89e56

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/mevlbkxshp

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

rick63.publicvm.com:5900

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      WorkScope Details.vbs

    • Size

      31KB

    • MD5

      0284695a0af70e045cf579e015ebbdf4

    • SHA1

      f0c20148cf96f0c81463e0224d80d4c67d7c1a04

    • SHA256

      78a742710aa79e0574a6faefecfaf851b64043889e75768f5de091cfc5a21dc0

    • SHA512

      6e54499711e1a0ee1ecd4679d7584027a424ba496d0bca868cc8e8d13d47097c4f0d65c0e4277c1457371b37e0c525a8ade33860cabd4e8869a438282af89e56

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks