asyncrat | 453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6 | Triage

Sharing

General

Target

Downloads.rar
Size

1.4MB
Sample

230325-k9fw8aca64
MD5

8e4150faf7e109bb27bae81ee77e2593
SHA1

6544b682bb420ae6a0922906b90c0fe2851650e3
SHA256

453b93a211b664c8be6ad43c584a9c4e3781ea9e51c3d9d598b4cd9719fcb7c6
SHA512

94ba63c6da0825b75ec75645b1a897daeee1beab171d55c9eed45f072e4333d777156509794b1d6425fcfdeda789a2c13fb22cd13dfa737e36c3694f949aba3c
SSDEEP

24576:oDADPbxO1WFjaO9dqSF0oalGCbkXECIdxGMvMIYtbZ57gKrlPT+:oDOPbxO1WFuO9NuGCgXKFMvp7ZBT+

Score

10^/10

asyncrat vjw0rm wshrat default persistence rat trojan upx worm

Malware Config

Extracted

Family

wshrat

C2

http://smile4u.webredirect.org:4242

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

120.78.151.171:6658

Mutex

bbbanchun

Attributes

delay
10
install
false
install_file
flash.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  9e98c04e777e77b1498f4b3447b6221d.js.vir
- Size
  
  3.5MB
- MD5
  
  9e98c04e777e77b1498f4b3447b6221d
- SHA1
  
  00a23c268459816d8fe5d46bda86a36f06e0c374
- SHA256
  
  39e57f5e8da66eb93df1bf017348f3cc3007e3acfe568a846d420ea76fdd43b3
- SHA512
  
  e5cb2b6f79474e70cb807b4a26af782a328038e52d2e28e6640269026c91c97ff40d3b98e6a156410339b4e53b538d256d0b554013bb78ce88ec1dc010d889d5
- SSDEEP
  
  24576:mOEJFi25vJDMJ7Ukw2QaaRn1xWl1TUPZAO2OR1X1S8DlF5y0d5tQtiTWyXE7D/Ag:6ZMf
Score

10^/10

vjw0rm wshrat persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  c72d738747f68d4f8d9e9368e47928bf.js.vir
- Size
  
  9.2MB
- MD5
  
  c72d738747f68d4f8d9e9368e47928bf
- SHA1
  
  00b523b2e3ab0f2bfd7d4aabf3b1c33ae390c585
- SHA256
  
  06b94b3ec86bd4a61888848f379808954de1ff2a1fe471edcfa312f5e9ba2ab5
- SHA512
  
  1a01baa0c813b928cf5dfe456f76acdcf9be0e0df8a6131e248f9aa5456c65a69cb9809efe56afc4db32cfeeb93ca42e3319f1e53689ba4ed23b77911b802c61
- SSDEEP
  
  3072:gNK8RjR/R8x/xqm2O1IrWa7Mjv/GnOv3GmPLjCKKIz9vs2J96i/OBDVOdz83Pm7+:I
Score

10^/10

vjw0rm trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral3 behavioral4
- Target
  
  cc03a8f9433b57e4ea8a87544dde5470.exe.vir
- Size
  
  35KB
- MD5
  
  cc03a8f9433b57e4ea8a87544dde5470
- SHA1
  
  d44e2e33aa3f7780db64ece0483958b87b063a75
- SHA256
  
  8688a4bb898f17009992f83072b5c5a3a60e9e552a95002470e1c2f885563fbd
- SHA512
  
  50ac102923a0eb17f27c24ca1528fd03258eef549448bfe6e4b7d91c57a2e0a2b4c8eb2a7018afca875f547b9d12c2d5e046755edef55301be9dcd6632d5fdce
- SSDEEP
  
  768:tTRSgQ0ZZeIYVudX6nHs+Y5nXq0AZ7yx6tWLrx7GR4:t1peKT5Xq0s6GWLr9q4
Score

10^/10

asyncrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
behavioral5 behavioral6
- Target
  
  eb6af295c348f16f2361cbe96fdc3bcb.exe.vir
- Size
  
  549KB
- MD5
  
  eb6af295c348f16f2361cbe96fdc3bcb
- SHA1
  
  70a3ab96557fb23d306e1cf4ad809e88866b2051
- SHA256
  
  b6e51307f7707d56e7b698aa432f429b1ea504a71fa406e8e4276efa8d62aeeb
- SHA512
  
  b2681641d6ea34f12b2b79dcd81f0c22109f66d162f63787c3ec58eaa4af33f202b7fa19807b3414b55546e06c1230ffc8367e51f1d39f9f96cc63e07f06de3c
- SSDEEP
  
  12288:wO/lcNkfv7X2HhTUok0e7VJgGRGLKjrd+nvjIiykW43gpz4zBEQ1Kcoeli9ibHp:wKlcNGvkWXgGRGL6hS933gx4uBcPz
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral7 behavioral8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vjw0rmwshratpersistencetrojanworm

behavioral2

vjw0rmwshratpersistencetrojanworm

behavioral3

vjw0rmtrojanworm

behavioral4

vjw0rmtrojanworm

behavioral5

asyncratdefaultrat

behavioral6

behavioral7

behavioral8