General
-
Target
TWEASOPKSA_002_PDF.vbs
-
Size
238KB
-
Sample
220922-vtwylscae2
-
MD5
b757fcf7a0df8528178bf586a3d718ae
-
SHA1
65394437dbbc8405b0a4b5c5e87bd1668f644d09
-
SHA256
84f101fd1efbadf4f287849ae8dc6f09729f1741143b7465a4233599b9865624
-
SHA512
908a583130bec368503d3a5ca62b7432d45910bc9adabd96da5310e38d5691a2c9bb9f71114c8a1270bf133d5324dec0afa819817fc85768d6c5cecaa9340119
-
SSDEEP
48:sK0mjzlXJj5NzzBWsoMtssbs0Qs+PM/sq6OkZ9s3XEHDzzAA:sKDF9n0JMtswebE0DAsDoA
Static task
static1
Behavioral task
behavioral1
Sample
TWEASOPKSA_002_PDF.vbs
Resource
win7-20220901-en
Malware Config
Extracted
https://contadoreshbc.com/dll_startup
Extracted
asyncrat
0.5.7B
Default
ehjay2022.duckdns.org:6739
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
TWEASOPKSA_002_PDF.vbs
-
Size
238KB
-
MD5
b757fcf7a0df8528178bf586a3d718ae
-
SHA1
65394437dbbc8405b0a4b5c5e87bd1668f644d09
-
SHA256
84f101fd1efbadf4f287849ae8dc6f09729f1741143b7465a4233599b9865624
-
SHA512
908a583130bec368503d3a5ca62b7432d45910bc9adabd96da5310e38d5691a2c9bb9f71114c8a1270bf133d5324dec0afa819817fc85768d6c5cecaa9340119
-
SSDEEP
48:sK0mjzlXJj5NzzBWsoMtssbs0Qs+PM/sq6OkZ9s3XEHDzzAA:sKDF9n0JMtswebE0DAsDoA
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-