General
-
Target
13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf
-
Size
1KB
-
Sample
241113-xl19gaxfrl
-
MD5
817379a5c3f383c5586acd71d5e8adf5
-
SHA1
6139bcd7317b3a3de045b1da994f8924d6c79f84
-
SHA256
7548f1ad49f6fd2a5e2aba00613274674f2ca6424dbacb41717098ecea852f70
-
SHA512
d2d75ef1296712a678ab60b0d3b476d228bdd5c10b8e9b75c7dad91a5ce14d0632a176271623366b501405c6dbee7d1c79d0ebbd389b04073c18cb2020d1da7e
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
BRAZ
0611wins.duckdns.org:9003
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
13112024_1857_RAMA_J_DEL_PODER_PUBLICO_NOTIFICACION_ELECTRONICA_RAD_129939214091249_POR_FAVOR_CONFIRMAR_RECIBIDO.wsf
-
Size
1KB
-
MD5
817379a5c3f383c5586acd71d5e8adf5
-
SHA1
6139bcd7317b3a3de045b1da994f8924d6c79f84
-
SHA256
7548f1ad49f6fd2a5e2aba00613274674f2ca6424dbacb41717098ecea852f70
-
SHA512
d2d75ef1296712a678ab60b0d3b476d228bdd5c10b8e9b75c7dad91a5ce14d0632a176271623366b501405c6dbee7d1c79d0ebbd389b04073c18cb2020d1da7e
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-