General

  • Target

    invoice#976542164311.wsf

  • Size

    59KB

  • Sample

    231116-zh55csfd47

  • MD5

    7cdd28a5731bf8172666651cdd542957

  • SHA1

    c1fd4c2ab361adc25f8494b7e3ad238f7db070e3

  • SHA256

    8a29a4ea9ef7b922eb5134e49c6427c1732ed277f8eee14c20262ad6ef8c4495

  • SHA512

    26446f986a1676a21b07fbb30abfb2a88a6c440115bc3438e9d694da4dc44eafd0d6f8eedf59ffcb77606f81e8925af5b3732202f7c39196a7c5f975a139d96f

  • SSDEEP

    384:ERRRRRRRRRRRFRRRRRRRRRRRERRRRRRRRRRR9gqT3z5aJpIV6F53RRRRRRRRRRRv:j/rz52pIy5d

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Sended@

C2

hexrxr.duckdns.org:6606

hexrxr.duckdns.org:7707

hexrxr.duckdns.org:8808

Mutex

AsyncMutex_85&$nkeo4%hifbe

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      invoice#976542164311.wsf

    • Size

      59KB

    • MD5

      7cdd28a5731bf8172666651cdd542957

    • SHA1

      c1fd4c2ab361adc25f8494b7e3ad238f7db070e3

    • SHA256

      8a29a4ea9ef7b922eb5134e49c6427c1732ed277f8eee14c20262ad6ef8c4495

    • SHA512

      26446f986a1676a21b07fbb30abfb2a88a6c440115bc3438e9d694da4dc44eafd0d6f8eedf59ffcb77606f81e8925af5b3732202f7c39196a7c5f975a139d96f

    • SSDEEP

      384:ERRRRRRRRRRRFRRRRRRRRRRRERRRRRRRRRRR9gqT3z5aJpIV6F53RRRRRRRRRRRv:j/rz52pIy5d

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks