Overview

overview

10

Static

static

Statement.vbs

windows7-x64

10

Statement.vbs

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    05b3bf6811ebca3880e7a4c75bccc713fc4af3a533f1d661d7716abbe5cbecf3.zip

  • Size

    2KB

  • Sample

    220921-s6ffaagfa8

  • MD5

    defc9f7ddceed5e8b78049d56f220952

  • SHA1

    e8cba1ab755228c6ad92a3d58a7cb2884affe038

  • SHA256

    c650a5727d372d25dd460ff48c9ed5d08e35edd152d7c8b35753bf9124553881

  • SHA512

    79719d7fe6e46e511052fe3274fceddfddd430f158cc99cf8080c63a786174f39e74b897ec303814b706aa9131d752ce9b6247d516275efb98e04aeddd5d60d9

Score
10/10
asyncratlolonew4persistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

lolonew4

C2

lolojako.con-ip.com:333

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Statement.VBS

    • Size

      5KB

    • MD5

      f35cec6db6c00fe6c98c0d1f30874c0f

    • SHA1

      42f87c24d0cbaf6b320bc587162da90c5ce2cd8a

    • SHA256

      50b759a1f2074bd5501dd26cee6514a6ee426c0015c32af8874a94e54a32ef60

    • SHA512

      4d7a8207b497bfa0151b97a736d58375e822ef968b3006f3cf50dc270c41471fb5a5438ddab20e86f693d5a21e44eee02e2329868a1de3fe368ead1cb8829240

    • SSDEEP

      96:y80pnWj8El9mM8koQhpAVw4ZLkuMtmN75GUogpy+CztzwzNvyLovLUFkoA2CzhYk:spWXl0VTqCmOLk/tmN75egVIozUF62nk

    Score
    10/10
    asyncratlolonew4persistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Registers COM server for autorun

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks