Extracted

• • Target

    rXoBUpDZJm.WSF.wsf

  • Size

    463KB

  • MD5

    264f5367e4122a1d79c65688daef19cb

  • SHA1

    b56fbe178275a6ca6440711056dbcdacb5bb7186

  • SHA256

    c0727985c6dcc2b21c67ef3e3c5ac0f01ff220024505089ddd116e423562b2f9

  • SHA512

    e4e4a79d9eae8a3cd9c9ce53c243ee0a35514b0d31731a1360935556dc08cd8ffb5d7e69575e9cb2bbf4e7d2d0b1273faa9f258b1f1c6fce4647767f44a879cc

  • SSDEEP

    12288:hSgSgSgSgSgSgSgSgSgSgSgSMSgSgSgSgSgSgSgSgSgSgSgSlSgSgSgSgSgSgSgo:X

  Score

  10^/10

  executionasyncrat00000001discoveryrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2