Overview

overview

10

Static

static

1

huh.wsf

windows7-x64

8

huh.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    huh.wsf

  • Size

    78KB

  • Sample

    231012-k8bk4scd79

  • MD5

    3afe73cfaffd88fe0f1deb6a8a2c133a

  • SHA1

    eb6bdbe0f846465c3ca1da7fb0828f67fde33c45

  • SHA256

    43f0058eddf17e193f8168c7800dbe5754ec2a5b0f505fccca161895a850e56c

  • SHA512

    f16d295d84b4c2cd1b26f1e3c5b84153ac202849bc25f56f955a914665bf7baabcd6ef4b5a7118c6ea3356443e8d5f4d55a19483f542624a25f91504b73f1c85

  • SSDEEP

    1536:DGJGJ1GJ1GJ1GJIGJ11GJGJ1GJSGJGJ1GJ1GJ1GJoaWEGJGJ1GJ1GJ1GJlGJGJ1t:DGJGJ1GJ1GJ1GJIGJ11GJGJ1GJSGJGJ1

Score
10/10
asyncratdraxrat

Malware Config

Extracted

Family

asyncrat

Version

2022 | Edit 3LOSH RAT

Botnet

DRAX

C2

itskmc.run.place:6606

itskmc.run.place:7707

itskmc.run.place:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      huh.wsf

    • Size

      78KB

    • MD5

      3afe73cfaffd88fe0f1deb6a8a2c133a

    • SHA1

      eb6bdbe0f846465c3ca1da7fb0828f67fde33c45

    • SHA256

      43f0058eddf17e193f8168c7800dbe5754ec2a5b0f505fccca161895a850e56c

    • SHA512

      f16d295d84b4c2cd1b26f1e3c5b84153ac202849bc25f56f955a914665bf7baabcd6ef4b5a7118c6ea3356443e8d5f4d55a19483f542624a25f91504b73f1c85

    • SSDEEP

      1536:DGJGJ1GJ1GJ1GJIGJ11GJGJ1GJSGJGJ1GJ1GJ1GJoaWEGJGJ1GJ1GJ1GJlGJGJ1t:DGJGJ1GJ1GJ1GJIGJ11GJGJ1GJSGJGJ1

    Score
    10/10
    asyncratdraxrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks