Overview

overview

10

Static

static

1

ORDER-2411...XLS.js

windows7-x64

10

ORDER-2411...XLS.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d7c22396b5d7fd7e169f2a676d6d934ac8b957e9cab956d3d51ce09460392a3

  • Size

    3.8MB

  • Sample

    241121-f85rqsyekg

  • MD5

    902ca72dfd808b6412217af646ab3b11

  • SHA1

    aacb4e02c20dc0cc62d07170bb702de29a2f10b7

  • SHA256

    1d7c22396b5d7fd7e169f2a676d6d934ac8b957e9cab956d3d51ce09460392a3

  • SHA512

    0d439d25e42212bc6c283cd12fb471ec3cc1ce19a5ae418e1dbd600fb1056698126e929124f2baa8cea9535eb8431c42067998999fb287c0d73468063521ac44

  • SSDEEP

    98304:pk9v6GPMd+nr/7LL1ObBFeQsfK6i8AvZJM3o:pk9Drnrj31m93p

Score
10/10
asyncratwshratdefault-nov-24discoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default-NOV-24

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

jinvestments.duckdns.org:2703

jinvestments.duckdns.org:7031
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    Windows Update.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7044

Targets

    • Target

      ORDER-2411210684CAV.XLS.js

    • Size

      5.8MB

    • MD5

      0e9a4efd656e8f726c99639a15b46afa

    • SHA1

      83c3929d2d526e96b6eab13dbeca60511720ccac

    • SHA256

      17c8a2339fd77b428d7802f12bb967d6bef393b0c16da336126506c8f83c750e

    • SHA512

      a67d35216768dea1aeac8519861879814abcded338a9368e1a53ac6dcb0788e81ca3bef3dd9258e3a02fd52297cbc8558f7801c62e65b1fd1578c80b46365f83

    • SSDEEP

      49152:fyW+X3Bcfv+0oelkeQ74+Tey2Gxj7ReW+q4HXZhCrtwzXltdHRe:8

    Score
    10/10
    asyncratwshratdefault-nov-24discoveryexecutionpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Wshrat family

      wshrat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks