General

  • Target

    VhDMUS0I_s2fzHm6OttwA-M9zHN2oWAUImZx-UxRpRo.bin

  • Size

    38KB

  • Sample

    240125-zbw8wafggm

  • MD5

    eb88cef471240cc3a0dc91d7f741fae4

  • SHA1

    2d675a54746ae329a5aedabb6aa41028c1095279

  • SHA256

    5610cc512d08facd9fcc79ba3adb7003f33dcc7376a16014226671fd4c51a51a

  • SHA512

    b4286d9916e572d1adea24e23eb2449ed629386448bad1a407348002a7998ee7b24c17be86410b6db26e9aa20b8af94894f7607d0d59c76694e966f6c2a436ee

  • SSDEEP

    768:pWuVt1xvGA31VGhhy4Vm/D6owtYrezXmTWuVt1xvGA31VGhhy4Vm/D6owtYrezXR:Ys++IXBs++IXR

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

C2

boty.theworkpc.com:6606

boty.theworkpc.com:7707

boty.theworkpc.com:8808

Mutex

AsyncMutex_alo47

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      VhDMUS0I_s2fzHm6OttwA-M9zHN2oWAUImZx-UxRpRo.bin

    • Size

      38KB

    • MD5

      eb88cef471240cc3a0dc91d7f741fae4

    • SHA1

      2d675a54746ae329a5aedabb6aa41028c1095279

    • SHA256

      5610cc512d08facd9fcc79ba3adb7003f33dcc7376a16014226671fd4c51a51a

    • SHA512

      b4286d9916e572d1adea24e23eb2449ed629386448bad1a407348002a7998ee7b24c17be86410b6db26e9aa20b8af94894f7607d0d59c76694e966f6c2a436ee

    • SSDEEP

      768:pWuVt1xvGA31VGhhy4Vm/D6owtYrezXmTWuVt1xvGA31VGhhy4Vm/D6owtYrezXR:Ys++IXBs++IXR

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks