forked from pan-unit42/tweets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2021-04-15-IOCs-for-AsyncRAT-activity.txt
57 lines (45 loc) · 2.73 KB
/
2021-04-15-IOCs-for-AsyncRAT-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
2021-04-15 (THURSDAY) - ASYNC RAT FROM MALICIOUS EMAIL
HEADERS FROM EMAIL:
Received: from se4p-iad1.servconfig.com ([199.250.217.29])
by [recipient's mail server] with SMTP (Postfix)
for [recipient's email address];
Thu, 15 Apr 2021 14:03:28 +0000 (UTC)
Received: from ecres227.servconfig.com ([198.46.81.27])
by se4-iad1.servconfig.com with esmtps (TLSv1.2:AES128-GCM-SHA256:128)
(Exim 4.92)
(envelope-from <[email protected]>)
id 1lX2ZV-000UqZ-Cu; Thu, 15 Apr 2021 10:02:40 -0400
Received: from [::1] (port=56526 helo=ecres227.servconfig.com)
by ecres227.servconfig.com with esmtpa (Exim 4.94)
(envelope-from <[email protected]>)
id 1lX2YZ-006Q02-DF; Thu, 15 Apr 2021 10:01:19 -0400
Date: Thu, 15 Apr 2021 15:00:57 +0100
From: Lally Kim <[email protected]>
To: undisclosed-recipients:;
Subject: Re: PO 439531
LINK FROM THE EMAIL:
- hxxps://www.icloud[.]com/iclouddrive/0y1w8aFedVPKnAChlDh74q1KA#P.O%5FFwd_Please_Quote_PO-_PN.pdf
EXAMPLE OF URL GENERATED BY DOWNLOAD BUTTON FROM ICLOUD PAGE:
- hxxps://cvws.icloud-content[.]com/B/AXOikGN3oc5WAUAGZzNkMdi23pQ-AVchIErgLqymaw4RhiA0hDjMY8d0/P.O_Fwd%20Please%20Quote%20PO-%20PN.pdf.vbs?o=AvzyZUU9GdhpHVUGh19IdH2ZUwGGR6byEYBd4Fn4FkAi&v=1&x=3&a=CAogDzqsgCF7VJVM7FrbFFhtMjha4Pg2xkQIHr2GuHMtGxkSbxCMx-CvjS8YjKS8sY0vIgEAUgS23pQ-WgTMY8d0aidINkqvFGxQ2fS2aE6tM_gcTuok98BYPIJBF7CnRDYaGrVynSrMIxdyJ2U3oImUdrSTKcYDkvfFQhsQfnemAHYOdq1mV7Yi6KK09xOFmrXPgA&e=1618501112&fl=&r=728fabb0-ddb5-49de-9dc4-421c25a9ef49-1&k=j9MouszrGKnqm3G-G8uHuA&ckc=com.apple.clouddocs&ckz=com.apple.CloudDocs&p=20&s=iXtyJgVpxnSJK0ZapnJ_zuSf3fY&%20=29b68b60-44d3-4d82-8672-0aed6659043e
DOWNLOADED MALWARE VBS FILE:
- SHA256 hash: 3822efcf4cc76e1e0e8855d9f9c9ab5c236e118bf14fb004a9f048aa845de967
- File size: 138,719 bytes
- File name: P.O_Fwd Please Quote PO- PN.pdf.vbs
- File description: VBS installer for Async RAT
POWERSHELL SCRIPT FOR ASYNC RAT:
- SHA256 hash: 323a3dc7c54ac8653019de489d1411647d0a5c486d4cde836fa03fbab852be79
- File size: 96,744 bytes
- File location: C:\Users\[username]\AppData\Roaming\Temp\SysTray.PS1
- File description: Powershell script for Async RAT
- Note: This is run through a Windows shortcut in the startup menu.
IP ADDRESSES, TCP PORTS, AND DOMAINS ASSOCIATED WITH THIS ASYNCRAT MALWARE SAMPLE:
- 5.62.58[.]11 port 8989 - Asin8989.ddns[.]net
- 5.62.58[.]11 port 8988 - asin8988.ddns[.]net
- 79.134.225[.]119 port 8989 - Asin8989.ddns[.]net
- 79.134.225[.]119 port 8988 - asin8988.ddns[.]net
- 197.210.71[.]132 port 8989 - Asin8989.ddns[.]net
- 197.210.71[.]132 port 8988 - asin8988.ddns[.]net
- 5.62.56[.]39 port 8988 - asin8988.ddns[.]net
- 5.62.56[.]39 port 8989 - Asin8989.ddns[.]net
- 5.62.56[.]37 port 8988 - asin8988.ddns[.]net
- 5.62.56[.]37 port 8989 - Asin8989.ddns[.]net