Malware-Traffic-Analysis.net - 2024-01-09

2024-01-09 (TUESDAY): ASYNC RAT INFECTION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

REFERENCE:

https://www.virustotal.com/gui/file/be78b500f71db3b870a6ab00f26fd1dcb54bc19a218c93698d6146a87b488ed5

ASSOCIATED FILES:

2024-01-09-IOCS-from-AsyncRAT-infection.txt.zip 1.2 kB (1,185 bytes)
2024-01-09-AsyncRAT-infection-traffic.pcap.zip 194.0 kB (194,003 bytes)
2024-01-09-malware-and-artifacts-from-AsyncRAT-infection.zip 190.7 kB (190,719 bytes)

2024-01-09 (TUESDAY): ASYNC RAT INFECTION

- unknown source --> ISO image --> WSF file --> HTTP traffic for malicious files --> Async RAT C2

INITIAL MALWARE:

- SHA256 hash: be78b500f71db3b870a6ab00f26fd1dcb54bc19a218c93698d6146a87b488ed5
- File size: 129,024 bytes
- File type: ISO 9660 CD-ROM filesystem data
- File name: invoice#5487214847577.iso

- SHA256 hash: 39ce0b953f3831429fa1c971ad0da741877ad2c932406e43f64874e65f82a238
- File size: 65,593 bytes
- File type: Unicode text, UTF-8 text, with very long lines (6876), with CRLF line terminators
- File name: invoice#5487214847577.wsf

FILES RETRIEVED WHEN RUNNING ABOVE WSF FILE:

- SHA256 hash: 1e9c29d7af6011ca9d5609cb93b554965c61105a42df9fe0c36274e60db71b1d
- File size: 1,974 bytes
- File type: ASCII text, with CRLF line terminators
- File location: hxxp://45.126.209[.]4:222/xlm.txt

- SHA256 hash: 83babee77db36512c0eab8ea6b35e981aa4288a4095985d69b3841f8b684fe11
- File size: 431,208 bytes
- File type: Unicode text, UTF-8 (with BOM) text, with very long lines (65514), with CRLF line terminators
- File location: hxxp://45.126.209[.]4:222/mdm.jpg

MALWARE FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
- File size: 205 bytes
- File type: ASCII text, with CRLF line terminators
- File location: C:\Users\Public\Conted.bat

- SHA256 hash: 3a0a477030eaba84883193ede461d8595c3ca4345811632e295d9c2d136c1593
- File size: 429,283 bytes
- File type: ASCII text, with very long lines (65532), with CRLF line terminators
- File location: C:\Users\Public\Conted.ps1
- File description: Modified version of file returned from hxxp://45.126.209[.]4:222/mdm.jpg

- SHA256 hash: a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
- File size: 688 bytes
- File type: ASCII text, with CRLF line terminators
- File location: C:\Users\Public\Conted.vbs

TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 45.126.209[.]4 port 222 - 45.126.209[.]4:222 - GET /xlm.txt
- 45.126.209[.]4 port 222 - 45.126.209[.]4:222 - GET /mdm.jpg
- 45.126.209[.]4 port 8808 - madmrx.duckdns[.]org - HTTPS traffic, TLSv1.0

Click here to return to the main page.