General
-
Target
7166_output.vbs
-
Size
60KB
-
Sample
241126-2tknxatna1
-
MD5
dcaadf5b6a871821a09e8be7f12603b0
-
SHA1
49c943609633112b80fe7b50c79ca6eb072eb3be
-
SHA256
407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549
-
SHA512
e18a9bda8f0efeb8bc490b320f86b14a7bc3fb667af4c193b9159d780aabe11da48bec08a6d605f2f08c65d661b5f8e572bf52e5fd712735196d46ea68a15db8
-
SSDEEP
1536:akm3NbS839HXCQHXFNx7X+xW7lflsAmPUoLlXBCbB:aLl3pCQ35+EDu3y
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:2024
127.0.0.1:15509
127.0.0.1:11979
2.tcp.eu.ngrok.io:6606
2.tcp.eu.ngrok.io:7707
2.tcp.eu.ngrok.io:8808
2.tcp.eu.ngrok.io:2024
2.tcp.eu.ngrok.io:15509
2.tcp.eu.ngrok.io:11979
5.tcp.eu.ngrok.io:6606
5.tcp.eu.ngrok.io:7707
5.tcp.eu.ngrok.io:8808
5.tcp.eu.ngrok.io:2024
5.tcp.eu.ngrok.io:15509
5.tcp.eu.ngrok.io:11979
rBBszd57Gkh8
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
7166_output.vbs
-
Size
60KB
-
MD5
dcaadf5b6a871821a09e8be7f12603b0
-
SHA1
49c943609633112b80fe7b50c79ca6eb072eb3be
-
SHA256
407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549
-
SHA512
e18a9bda8f0efeb8bc490b320f86b14a7bc3fb667af4c193b9159d780aabe11da48bec08a6d605f2f08c65d661b5f8e572bf52e5fd712735196d46ea68a15db8
-
SSDEEP
1536:akm3NbS839HXCQHXFNx7X+xW7lflsAmPUoLlXBCbB:aLl3pCQ35+EDu3y
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-