Overview

overview

10

Static

static

1

BATTATAA.bat

windows7-x64

8

BATTATAA.bat

windows10-2004-x64

8

KNBSOCSXACHWOKRY.ps1

windows7-x64

3

KNBSOCSXACHWOKRY.ps1

windows10-2004-x64

10

LXHNZEZFHPFSAEGF.ps1

windows7-x64

3

LXHNZEZFHPFSAEGF.ps1

windows10-2004-x64

3

MVVELJTYVGCFOMOS.vbs

windows7-x64

3

MVVELJTYVGCFOMOS.vbs

windows10-2004-x64

7

WEBACKAGAIN.bat

windows7-x64

8

WEBACKAGAIN.bat

windows10-2004-x64

8

YAGURQWHFBHUIOUB.vbs

windows7-x64

3

YAGURQWHFBHUIOUB.vbs

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de68a04b9c1b2c4a6b1e3063a413183ca5eb896fe396282b37770f6459c95045

  • Size

    94KB

  • Sample

    240614-p65tds1gla

  • MD5

    3c79a6180ae2590450d46359924cb9c1

  • SHA1

    693e79841c9076be8cc759eedaf059a0bfd385ff

  • SHA256

    de68a04b9c1b2c4a6b1e3063a413183ca5eb896fe396282b37770f6459c95045

  • SHA512

    d4072a18fcffbca2ea689394a4e67382de262a142e318794757540c41718fdf629c39e6a9f4c99d87d1eece05ba46ecee4c8b43ca93b2db65f07fbc052e7e0be

  • SSDEEP

    1536:ixlkAiJFpAHwjjpIjvl/5vF4vkvkx3INq2HbbJK2VC9iy7pO0da5HSnW497B9exY:+545BYF59d8RINqwLC9iqdkS979Htg0L

Score
10/10
asyncratwearebackexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

WEAREBACK

C2

fat7e007707.ddns.net:6666

Mutex

AsyncMutex_LeN8XOQBy8f6MhIG

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      BATTATAA.bat

    • Size

      1KB

    • MD5

      c4ed432720943b4ba7f2ca6289df6a5d

    • SHA1

      cad8c52814e157f8a99b87371d71ceb874e26339

    • SHA256

      9852cddb4ca117d758dd1f7fb7acd21bda527d9db32ff4e5b56bf1cf9c84a9d2

    • SHA512

      904655de8495aacd1b3f424821c9e643bc8c5e0d07ebd872e23ed0085a58eee4df0759911709e2fa5aa515f4fefe95ef64a55e6f52e6f2e6107bca4db5713400

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral1behavioral2

    • Target

      KNBSOCSXACHWOKRY.ps1

    • Size

      562KB

    • MD5

      749e3553ab2e0e9abb453341ad468d00

    • SHA1

      5697934e271d42c8b2c09ae25aebdf057e59e217

    • SHA256

      f338daab4aa9420e2ab7d2af82638d9057478e0a255672e6b1f7f2e30dfd7cde

    • SHA512

      25e267e4a1e23a16576406832be8396474ec0d3392e0c91eb704115420b13ed282a47104b6fb1dbf2b84cdd8edba2cbd1b2fd3d2335273165966cba9345013a1

    • SSDEEP

      1536:kDh8DyXBs84VhDEak0EyxWq0U3IMUla7lwb2h:kDhiyXBs84VhDEakbyxWq0Uz

    Score
    10/10
    executionasyncratwearebackrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      LXHNZEZFHPFSAEGF.ps1

    • Size

      542B

    • MD5

      fad290574d9673c6212bacc43f3ac7ce

    • SHA1

      a642b5291e9fb3b21c40bd28ad25607d08b4172b

    • SHA256

      898a205a94055456f1146d108e12b54093d043b298a1ade8ffec26a46feb4f2e

    • SHA512

      9254f7d5c66939517ccd0cf182fe1436b1709a4fb5344d16c31b372ba2746b5013bd5664731459d5b27604867e060436df80d03630c8dab60dc33c6bd5437969

    Score
    3/10
    execution
    behavioral5behavioral6

    • Target

      MVVELJTYVGCFOMOS.vbs

    • Size

      783B

    • MD5

      4d11fae42476a363ad9cc2eeeea038ef

    • SHA1

      8f9b65f448924c79fe7a19b6fdf9a965c1de8371

    • SHA256

      90efa2e75e2102942fba13cb4a5744530cd85e84fcfc8d7ddccdc17081ac3f69

    • SHA512

      cf828788c7e7c0cd119a308b5f4ed705aa6007ac318f0fdf6f8e6696b2ed376f1bfec0ccd7d16771f868f8f84bd36442d827d84781d699cdc2d0f8a6e5c35883

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      WEBACKAGAIN.bat

    • Size

      1KB

    • MD5

      f626c63d0c25c0e82650b6e699d7d86c

    • SHA1

      9387e44e51a630c066bd8178487d9f0d07c018a9

    • SHA256

      a04e51d1511b2449fef2cc6e304ce6dd56cb3b68de39a2d2dde04563a87002d7

    • SHA512

      6f6d7db0cef64a5552108e7f2be8e7ac937cf966252fa4cf64bd128f846323c14f506046e2c306794ca5128bcf9e8e8c33c0ff077a7974d88ee52e4129ddccd4

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral10behavioral9

    • Target

      YAGURQWHFBHUIOUB.vbs

    • Size

      786B

    • MD5

      968dbcf5ad02e59d3bb307e189a8ddd9

    • SHA1

      65921aeb4580c1c3b020154b84e42426bb21a818

    • SHA256

      9a778a752a6bf8fa1fd175fe45a274678b7685939897559b90d9c8fe2022d9b8

    • SHA512

      0465c8afb9f46f547b5c28de07c2437cd650ad20b3ef0c3e876b9d780a647511bcdd088e1c44243eb620530bf15b60b2ce92de088c5521ff7708571f72b7173d

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

4
T1059

PowerShell

4
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks