SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ars_loader (Back to overview)

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

References
2018-10-05BluelivBlueliv Labs Team
ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
ARS VBS Loader ZeroEvil
2018-05-29Twitter (@Racco42)Racco42
Tweet on VBS Code Obfuscation
ARS VBS Loader
2018-04-16FlashpointMike Mimoso, Paul Burbage
RAT Gone Rogue: Meet ARS VBS Loader
ARS VBS Loader
Yara Rules
[TLP:WHITE] win_ars_loader_w0 (20180529 | No description)
rule win_ars_loader_w0 { 
    meta:
        author = "Flashpoint Intel"
        reference = "https://www.flashpoint-intel.com/wp-content/uploads/2018/04/ARS-VBS-Loader-Yara-Rule.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader"
        malpedia_version = "20180529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $a1 = "Array(" 
        $a2 = "crypted&" 
        $a3 = "execute(crypted)" 
        $b1 = "ToDecrypt" 
        $b2 = "replace(ToDecrypt," 
        $b3 = "execute(ToDecrypt)" 
        $c1 = "Randomize" 
        $c2 = "execute(" 
        $c3 = "Wscript.Sleep(" 
        $d1 = "changeCNC()" 
        $d2 = "downloadexecutep" 
        $d3 = "sGetAV" 
        $d4 = "AgonyMutex" 
        $d5 = "dos(hst, cnt)" 
    condition:  
        ((all of ($a*)) or 
        (all of ($b*)) or 
        (all of ($c*)) or 
        (all of ($d*))) 
}
Download all Yara Rules