Overview

overview

10

Static

static

1

0969731d32...b2.ps1

windows7-x64

3

0969731d32...b2.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93bfb747191ea031f60faf9b15e7d43b.bin

  • Size

    67KB

  • Sample

    241018-b29d5a1hrr

  • MD5

    8d5070120d9f830bb614a76b99953629

  • SHA1

    011ff634f35628e8ecde36218a8ee214c4128efd

  • SHA256

    94c00396b7dbcf52675d3523d209d4a244e0fe1a0ea53e9b2192542bef3a8818

  • SHA512

    89cf2a4a194ea35e3b42965a4bbc6ec6a45ae6fa8bffc10797459f742611574a59ef38ecb7e62b61129190efe747fd259ae2475f725165937b0a67bd43173853

  • SSDEEP

    1536:NKve5bSPG+jcxedgJWKJ7ikZRI3GnWW+5t7tR1BcD4Sk:4veQyezKskZiWj+bMMP

Score
10/10
asyncratnew-encryptdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

New-Encrypt

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/M1nmWeTA

aes.plain

Targets

    • Target

      0969731d32678ac6f0be0896d03b2eb382d2dcd54645e55c621ea6152ebce8b2.ps1

    • Size

      440KB

    • MD5

      93bfb747191ea031f60faf9b15e7d43b

    • SHA1

      4fa4a763f1c7f4436b869eb2959542e0d966bb88

    • SHA256

      0969731d32678ac6f0be0896d03b2eb382d2dcd54645e55c621ea6152ebce8b2

    • SHA512

      b34e3dbdb6bcd089dc9df23d22344f0644ffdbebe79e8ae99ff13e07cfacf93df64ca3a77b1341fd4f02a485965630c129634a66446952c27a25a09c421bd281

    • SSDEEP

      1536:wUdAHeDN4NDabDzuCO4dfk2EJdMFXa/3qYrYUF1rGs4UPDc+dl3Cz6nKd35rmDex:w/XrXFWHlFHhfu88C

    Score
    10/10
    executionasyncratnew-encryptdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks