General
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
Sample
220927-ygp63secf9
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
Malware Config
Extracted
| Language | ps1 |
| Deobfuscated |
|
| URLs |
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf |
Extracted
| Family |
asyncrat |
| Version |
0.5.7B |
| Botnet |
Default |
| C2 |
petersonsherian7.duckdns.org:6739 petersonsherian7.duckdns.org:7301 petersonsherian7.duckdns.org:7808 petersonsherian7.duckdns.org:8333 |
| Attributes |
delay 3
install false
install_folder %AppData% |
| aes.plain |
|
Targets
-
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation