General
-
Target
Memory.vbs
-
Size
2.9MB
-
Sample
230430-m1swjahd99
-
MD5
dc41ef27fd74ade70d62e7bfcbbe2de2
-
SHA1
e8282edf1205c6cfccef3cdf41ea4303a45c5745
-
SHA256
ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
-
SHA512
ae779c4b20616e92080ba02167b1105d73a001bbf612efadbe7b84be355918f6aa1d582e7ae45478d84d8349651db99efd36b4545a85334e5945382c90875d36
-
SSDEEP
1536:khTJiTSxGdQkVHgnlUTCAmTzZQXEXtXX8XZXDKcZtDRRj7aqDfR/wyihW9Qk2vSj:C6uECAm0wyihW9Qk2vSk8BtaN8wRnX5W
Static task
static1
Behavioral task
behavioral1
Sample
Memory.vbs
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
95.214.24.134:1911
95.214.24.134:1912
AsyncMutex_6SI8OkPnk
-
delay
5
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Memory.vbs
-
Size
2.9MB
-
MD5
dc41ef27fd74ade70d62e7bfcbbe2de2
-
SHA1
e8282edf1205c6cfccef3cdf41ea4303a45c5745
-
SHA256
ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
-
SHA512
ae779c4b20616e92080ba02167b1105d73a001bbf612efadbe7b84be355918f6aa1d582e7ae45478d84d8349651db99efd36b4545a85334e5945382c90875d36
-
SSDEEP
1536:khTJiTSxGdQkVHgnlUTCAmTzZQXEXtXX8XZXDKcZtDRRj7aqDfR/wyihW9Qk2vSj:C6uECAm0wyihW9Qk2vSk8BtaN8wRnX5W
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-