General

  • Target

    da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4.vbs

  • Size

    8KB

  • Sample

    240924-b8991ascqr

  • MD5

    8afc18095b72efb67ffd0d9e00480a09

  • SHA1

    9e6f923a724eb96fde01d3598f62395f044b8f32

  • SHA256

    da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4

  • SHA512

    7ab3c056fca8c91fbe7621f59f157aa1eff47d23c0f42976c99420a893ed43ab0a4ce49adaa527fd7707e68941d54de1517f3392c624444eb839873c48ee5cfb

  • SSDEEP

    48:eYAZXoxm7byApD0G15Fjw7gr/f8BHQQRhUQKADSSot3n7Av9rL2X4JhAPAyUkvf:eYAZtvJDT2U8JQQJS5t3n7Y9rL2Ofdsf

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Sasa

C2

88.119.175.153:6606

88.119.175.153:7707

88.119.175.153:8808

88.119.175.153:6666

88.119.175.153:5555

Mutex

AsyncMutex_Ass#$Butt$

Attributes
  • delay

    5

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4.vbs

    • Size

      8KB

    • MD5

      8afc18095b72efb67ffd0d9e00480a09

    • SHA1

      9e6f923a724eb96fde01d3598f62395f044b8f32

    • SHA256

      da6181e22c0c7230058044b36945666bd5cb6eef577eed273f217b166335e1b4

    • SHA512

      7ab3c056fca8c91fbe7621f59f157aa1eff47d23c0f42976c99420a893ed43ab0a4ce49adaa527fd7707e68941d54de1517f3392c624444eb839873c48ee5cfb

    • SSDEEP

      48:eYAZXoxm7byApD0G15Fjw7gr/f8BHQQRhUQKADSSot3n7Av9rL2X4JhAPAyUkvf:eYAZtvJDT2U8JQQJS5t3n7Y9rL2Ofdsf

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks