2024-01-09 (TUESDAY): ASYNC RAT INFECTION

NOTES:

REFERENCE:

ASSOCIATED FILES:

 

2024-01-09 (TUESDAY): ASYNC RAT INFECTION

- unknown source --> ISO image --> WSF file --> HTTP traffic for malicious files --> Async RAT C2

INITIAL MALWARE:

- SHA256 hash: be78b500f71db3b870a6ab00f26fd1dcb54bc19a218c93698d6146a87b488ed5
- File size: 129,024 bytes
- File type: ISO 9660 CD-ROM filesystem data
- File name: invoice#5487214847577.iso

- SHA256 hash: 39ce0b953f3831429fa1c971ad0da741877ad2c932406e43f64874e65f82a238
- File size: 65,593 bytes
- File type: Unicode text, UTF-8 text, with very long lines (6876), with CRLF line terminators
- File name: invoice#5487214847577.wsf

FILES RETRIEVED WHEN RUNNING ABOVE WSF FILE:

- SHA256 hash: 1e9c29d7af6011ca9d5609cb93b554965c61105a42df9fe0c36274e60db71b1d
- File size: 1,974 bytes
- File type: ASCII text, with CRLF line terminators
- File location: hxxp://45.126.209[.]4:222/xlm.txt

- SHA256 hash: 83babee77db36512c0eab8ea6b35e981aa4288a4095985d69b3841f8b684fe11
- File size: 431,208 bytes
- File type: Unicode text, UTF-8 (with BOM) text, with very long lines (65514), with CRLF line terminators
- File location: hxxp://45.126.209[.]4:222/mdm.jpg

MALWARE FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
- File size: 205 bytes
- File type: ASCII text, with CRLF line terminators
- File location: C:\Users\Public\Conted.bat

- SHA256 hash: 3a0a477030eaba84883193ede461d8595c3ca4345811632e295d9c2d136c1593
- File size: 429,283 bytes
- File type: ASCII text, with very long lines (65532), with CRLF line terminators
- File location: C:\Users\Public\Conted.ps1
- File description: Modified version of file returned from hxxp://45.126.209[.]4:222/mdm.jpg

- SHA256 hash: a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
- File size: 688 bytes
- File type: ASCII text, with CRLF line terminators
- File location: C:\Users\Public\Conted.vbs

TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 45.126.209[.]4 port 222 - 45.126.209[.]4:222 - GET /xlm.txt
- 45.126.209[.]4 port 222 - 45.126.209[.]4:222 - GET /mdm.jpg
- 45.126.209[.]4 port 8808 - madmrx.duckdns[.]org - HTTPS traffic, TLSv1.0

 

Click here to return to the main page.