Overview

overview

10

Static

static

1

9765_output.vbs

windows7-x64

8

9765_output.vbs

windows10-2004-x64

10

9765_output.vbs

windows10-ltsc 2021-x64

10

9765_output.vbs

windows11-21h2-x64

10

9765_output.vbs

macos-10.15-amd64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7796_output.zip

  • Size

    40KB

  • Sample

    241209-zk575s1jcv

  • MD5

    bd3ab05ca9eb6161d66948bba2a09c09

  • SHA1

    90e6d4c9e592e4a2ecd447e98830f3755acbe760

  • SHA256

    5e34ea7fbf3080fe5b5ad6fb5a1a3f9b11e783dc8cda28985e048970256831c3

  • SHA512

    86e31d424f90be6d08b29b0b952ec1f2e12d4d2dca90a52aed3038fa26d6bb6b0771276c7bf795cde36eeea340eb8a649871c6015dbf1eacc5b247dab7b0a377

  • SSDEEP

    768:b8gNuyQsESayRkeA22lv3CL2CSn/OaEgoazkELsSlIIZ8+/iUwt4FmJ:b8gAPsExheA3lFC42VgRzk85ZP/aCFq

Score
10/10
asyncratdefaultdiscoveryevasionexecutionmacosrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:55644

jt8iyre.localto.net:2101
Mutex

WzRdrlEJS302

Attributes
  • delay

    3

  • install

    false

  • install_file

    dwmm.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      9765_output.vbs

    • Size

      69KB

    • MD5

      f0a90fbc29a64f4274b014755f88c990

    • SHA1

      e8f7053bea6eab342edf9d80c15835b6fb6d9844

    • SHA256

      df37f986e4342d26e408aa370058ba21d218aaac358ba940bde7ac1f035549d7

    • SHA512

      fc42c09434d77f5688d23eab7700440196d07e517e3940d3b47484f2c4de214301063b9537febf1f3396fcf033cead22b4aecd68f18acc7c6f06f8f06ffc3c77

    • SSDEEP

      768:Oyq+h3xb1DhEhMXSHLGjhlZrkoq22Ub9aLILRNho4rBT9qDCJfJw/urPFpjw4g:lhBJihvKjhbQoDNbUILRUcE4wWrtp0D

    Score
    10/10
    discoveryexecutionasyncratdefaultratevasion

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Tasks