Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    06112024_0054_110424.vbs

  • Size

    140KB

  • Sample

    241106-a87cnssbld

  • MD5

    b551d6e65cb8770641782a1c9fea2d46

  • SHA1

    913f33925e21db15d167574c6d29e612641c24f5

  • SHA256

    dcd8eb05de5d4e76fbadf6cf6ffa17f72e6feba0ab79ea57ec2f507d838c1626

  • SHA512

    660b54552fc52f6195db34af7fa8d2fcfb05a0c7b97822cf654dd8360e83e3d416235c44050581a470cc01348583a56154fb55665c60a48cc1df2c8bc3707eb9

  • SSDEEP

    1536:ZirfBgt5pzEGw+jDKVRs8UH12oaz+MXdVyagPI1lNyU:ZirZgt5pIGwS8RsXVTahdVyagPIPNd

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

asyncrat

Botnet

11-4-24

C2

egghold.duckdns.org:2011

exgi.duckdns.org:2011

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      06112024_0054_110424.vbs

    • Size

      140KB

    • MD5

      b551d6e65cb8770641782a1c9fea2d46

    • SHA1

      913f33925e21db15d167574c6d29e612641c24f5

    • SHA256

      dcd8eb05de5d4e76fbadf6cf6ffa17f72e6feba0ab79ea57ec2f507d838c1626

    • SHA512

      660b54552fc52f6195db34af7fa8d2fcfb05a0c7b97822cf654dd8360e83e3d416235c44050581a470cc01348583a56154fb55665c60a48cc1df2c8bc3707eb9

    • SSDEEP

      1536:ZirfBgt5pzEGw+jDKVRs8UH12oaz+MXdVyagPI1lNyU:ZirZgt5pIGwS8RsXVTahdVyagPIPNd

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks