General
-
Target
#9948-8465.vbs
-
Size
8KB
-
Sample
240923-t1x9kswfnd
-
MD5
8afc18095b72efb67ffd0d9e00480a09
-
SHA1
9e6f923a724eb96fde01d3598f62395f044b8f32
-
SHA256
da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4
-
SHA512
7ab3c056fca8c91fbe7621f59f157aa1eff47d23c0f42976c99420a893ed43ab0a4ce49adaa527fd7707e68941d54de1517f3392c624444eb839873c48ee5cfb
-
SSDEEP
48:eYAZXoxm7byApD0G15Fjw7gr/f8BHQQRhUQKADSSot3n7Av9rL2X4JhAPAyUkvf:eYAZtvJDT2U8JQQJS5t3n7Y9rL2Ofdsf
Static task
static1
Behavioral task
behavioral1
Sample
#9948-8465.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
#9948-8465.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
asyncrat
AWS | 3Losh
Sasa
88.119.175.153:6606
88.119.175.153:7707
88.119.175.153:8808
88.119.175.153:6666
88.119.175.153:5555
AsyncMutex_Ass#$Butt$
-
delay
5
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
#9948-8465.vbs
-
Size
8KB
-
MD5
8afc18095b72efb67ffd0d9e00480a09
-
SHA1
9e6f923a724eb96fde01d3598f62395f044b8f32
-
SHA256
da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4
-
SHA512
7ab3c056fca8c91fbe7621f59f157aa1eff47d23c0f42976c99420a893ed43ab0a4ce49adaa527fd7707e68941d54de1517f3392c624444eb839873c48ee5cfb
-
SSDEEP
48:eYAZXoxm7byApD0G15Fjw7gr/f8BHQQRhUQKADSSot3n7Av9rL2X4JhAPAyUkvf:eYAZtvJDT2U8JQQJS5t3n7Y9rL2Ofdsf
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1