General
-
Target
hey.ps1
-
Size
1016B
-
Sample
240117-p7jybagcd9
-
MD5
c39a78262c22dbcfe892ec89e618550d
-
SHA1
c9f08b4719066517ddc7e5f30dfb059a47acb873
-
SHA256
769d7f384b22433d4f5cd191d70cf8bd7523bc89e5b525d32ff311499f781a03
-
SHA512
002fe77e65482de9226a3a1a8ea9cbc9d881b86b7963ad528ea6a36a6275f079d9618773d7e61caec459de97492ff1e153025778606c2a783aa1c8a2e38ef40c
Static task
static1
Behavioral task
behavioral1
Sample
hey.ps1
Resource
win7-20231215-en
Malware Config
Extracted
http://172.86.96.111:8080/Script.ps1
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
Default
194.33.191.245:2405
ucglovygcuqcsabs
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
hey.ps1
-
Size
1016B
-
MD5
c39a78262c22dbcfe892ec89e618550d
-
SHA1
c9f08b4719066517ddc7e5f30dfb059a47acb873
-
SHA256
769d7f384b22433d4f5cd191d70cf8bd7523bc89e5b525d32ff311499f781a03
-
SHA512
002fe77e65482de9226a3a1a8ea9cbc9d881b86b7963ad528ea6a36a6275f079d9618773d7e61caec459de97492ff1e153025778606c2a783aa1c8a2e38ef40c
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-