Overview

overview

10

Static

static

1

Patruljefrer.vbs

windows7-x64

8

Patruljefrer.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Patruljefrer.vbs

  • Size

    67KB

  • Sample

    241101-st4mcatmcj

  • MD5

    dc3c11c4fe11f72749d759a975e477f0

  • SHA1

    254baa6b1d875e004af665c120da7db6409cc73b

  • SHA256

    301c2c3ec7ac65bb681f01f1262b110e86822685101b37b8677422e10bacdb33

  • SHA512

    6a188b369fc07ee9cc5d111b6296833a91e9a82c722e5abb31fce4326e84c25749d9904fdd0e2c35803e3098bdf9971ae7a51834c98faa68a5bc52fea9ce1c0d

  • SSDEEP

    768:5SyQW9Cef223W+Tgk22+YmtCVMcS8Wxb8ilEq+/nenRmHtDpIWMz/a3mSO:5SyQQNxnWv8u8iuqCnX3Mz/ItO

Score
10/10
asyncratthe--capablediscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

The--capable

Mutex

AsyncMutex_alcod

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/SBj8AU2u

aes.plain

Targets

    • Target

      Patruljefrer.vbs

    • Size

      67KB

    • MD5

      dc3c11c4fe11f72749d759a975e477f0

    • SHA1

      254baa6b1d875e004af665c120da7db6409cc73b

    • SHA256

      301c2c3ec7ac65bb681f01f1262b110e86822685101b37b8677422e10bacdb33

    • SHA512

      6a188b369fc07ee9cc5d111b6296833a91e9a82c722e5abb31fce4326e84c25749d9904fdd0e2c35803e3098bdf9971ae7a51834c98faa68a5bc52fea9ce1c0d

    • SSDEEP

      768:5SyQW9Cef223W+Tgk22+YmtCVMcS8Wxb8ilEq+/nenRmHtDpIWMz/a3mSO:5SyQQNxnWv8u8iuqCnX3Mz/ItO

    Score
    10/10
    executionasyncratthe--capablediscoverypersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks