SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ars_loader (Back to overview)

ARS VBS Loader


ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

References
2018-10-05BluelivBlueliv Labs Team
@online{team:20181005:ars:73951a5, author = {Blueliv Labs Team}, title = {{ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)}}, date = {2018-10-05}, organization = {Blueliv}, url = {https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/}, language = {English}, urldate = {2020-01-08} } ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
ARS VBS Loader ZeroEvil
2018-05-29Twitter (@Racco42)Racco42
@online{racco42:20180529:vbs:98d7253, author = {Racco42}, title = {{Tweet on VBS Code Obfuscation}}, date = {2018-05-29}, organization = {Twitter (@Racco42)}, url = {https://twitter.com/Racco42/status/1001374490339790849}, language = {English}, urldate = {2020-01-08} } Tweet on VBS Code Obfuscation
ARS VBS Loader
2018-04-16FlashpointPaul Burbage, Mike Mimoso
@online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } RAT Gone Rogue: Meet ARS VBS Loader
ARS VBS Loader
Yara Rules
[TLP:WHITE] win_ars_loader_w0 (20180529 | No description)
rule win_ars_loader_w0 { 
    meta:
        author = "Flashpoint Intel"
        reference = "https://www.flashpoint-intel.com/wp-content/uploads/2018/04/ARS-VBS-Loader-Yara-Rule.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader"
        malpedia_version = "20180529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings: 
        $a1 = "Array(" 
        $a2 = "crypted&" 
        $a3 = "execute(crypted)" 
        $b1 = "ToDecrypt" 
        $b2 = "replace(ToDecrypt," 
        $b3 = "execute(ToDecrypt)" 
        $c1 = "Randomize" 
        $c2 = "execute(" 
        $c3 = "Wscript.Sleep(" 
        $d1 = "changeCNC()" 
        $d2 = "downloadexecutep" 
        $d3 = "sGetAV" 
        $d4 = "AgonyMutex" 
        $d5 = "dos(hst, cnt)" 
    condition:  
        ((all of ($a*)) or 
        (all of ($b*)) or 
        (all of ($c*)) or 
        (all of ($d*))) 
}
Download all Yara Rules