asyncrat | a77bf4f6f417a480f95547d6c6a332c42048d91e1768ff60afcc3ee54ff6e8c2 | Triage

Sharing

General

Target

c28b393fccf6d23f9b175b44c4288893.bin
Size

523KB
Sample

240910-b7m33ssfqe
MD5

9827e4d548261a4472eb77548a613b56
SHA1

f889b794ce984534cde40a0533cf8da70fc9f02e
SHA256

a77bf4f6f417a480f95547d6c6a332c42048d91e1768ff60afcc3ee54ff6e8c2
SHA512

c3a616e146944445dfa0e53fa03111dd1f2d43bf0be31c128a8ef941e32f5790c1fc690ffffd93c8c2ec83756641edd9595c304c137a0564b09897a58f3225ad
SSDEEP

12288:H088kJrTR3LwMrgFCT8Ga9lskVO7ii/ItCyQl5:HbFTSPU0xVNQyK5

Score

10^/10

asyncrat vjw0rm suepr envio sep03 discovery execution persistence rat trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

1.0.7

Botnet

SUEPR ENVIO SEP03

C2

nyan43.duckdns.org:1963

Mutex

YHGBVFDC

Attributes

delay
15
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vjw0rm

C2

http://yuya0415.duckdns.org:1928

Targets

- Target
  
  08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a.exe
- Size
  
  669KB
- MD5
  
  c28b393fccf6d23f9b175b44c4288893
- SHA1
  
  7d081db02f6654c785fca5b8187e13fdde5878c6
- SHA256
  
  08c456bc976fd183171bf7fef71d8fc37894a9e0e2c3b041b589cd864fce698a
- SHA512
  
  e9167c23388fe417a1da2733272a40052ca5db5f1068e57bfcf0864e129e7e9a5aab43d10647e6bdc2b84eb66f7ab0f1677e268f5581931b8a147cf74330fc3b
- SSDEEP
  
  12288:SBdlwHRn+WlYV+W2X+t4DwlFpJu0nTXoJwh7mA9St4xjXLYqEWXP+YjjPGoTI:SBkVdlYAW0MlFPnEJwB9SojIFkjPGR
Score

10^/10

asyncrat vjw0rm suepr envio sep03 discovery execution persistence rat trojan worm
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratvjw0rmsuepr envio sep03discoveryexecutionpersistencerattrojanworm

behavioral2

asyncratvjw0rmsuepr envio sep03discoveryexecutionpersistencerattrojanworm