General

  • Target

    hey.ps1

  • Size

    1016B

  • Sample

    240117-p7jybagcd9

  • MD5

    c39a78262c22dbcfe892ec89e618550d

  • SHA1

    c9f08b4719066517ddc7e5f30dfb059a47acb873

  • SHA256

    769d7f384b22433d4f5cd191d70cf8bd7523bc89e5b525d32ff311499f781a03

  • SHA512

    002fe77e65482de9226a3a1a8ea9cbc9d881b86b7963ad528ea6a36a6275f079d9618773d7e61caec459de97492ff1e153025778606c2a783aa1c8a2e38ef40c

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://172.86.96.111:8080/Script.ps1

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Default

C2

194.33.191.245:2405

Mutex

ucglovygcuqcsabs

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      hey.ps1

    • Size

      1016B

    • MD5

      c39a78262c22dbcfe892ec89e618550d

    • SHA1

      c9f08b4719066517ddc7e5f30dfb059a47acb873

    • SHA256

      769d7f384b22433d4f5cd191d70cf8bd7523bc89e5b525d32ff311499f781a03

    • SHA512

      002fe77e65482de9226a3a1a8ea9cbc9d881b86b7963ad528ea6a36a6275f079d9618773d7e61caec459de97492ff1e153025778606c2a783aa1c8a2e38ef40c

    Score
    10/10
    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Async RAT payload

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks