Overview

overview

10

Static

static

Invoice ID...6).vbs

windows7_x64

10

Invoice ID...6).vbs

windows10_x64

10

Analysis

  • max time kernel
    26s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-01-2021 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice ID-(4387206).vbs

  • Size

    1KB

  • MD5

    83f5dfe54337970c464b58db9d990bbc

  • SHA1

    c3da46773165a805307eea544a5c1498bfd96e26

  • SHA256

    0089fe3a660c1a3fba7039e03482aed3b0a7d82b72e4c38e4b5da8612fe7247c

  • SHA512

    cd2123990037cbf5eebbe818ff0d117dde71b4ed9882aef92b6471bbc71d9ef7ed664dff7798463810debcfcb3a94bbadd25c97013a57ba12da4b2e2f4c5fceb

Score
10/10
asyncratrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia801507.us.archive.org/34/items/3_20210106/3.txt

Extracted

Family

asyncrat

Version

0.5.7B

C2

clayroot2016.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    Kf16onJhATpNbuJfsFjEdXd4221e8Y7w

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    clayroot2016.linkpc.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice ID-(4387206).vbs"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\OAP\Microsoft.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\Microsoft.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Microsoft.ps1
    MD5

    939ee63cf8ac3f8e78f594373f5d030a

    SHA1

    5f551c62b88f55c586053305262be35b3d928408

    SHA256

    fc09d030993fb16d785c7287fbdbd9cf7f4f102b81ef5e73148b8b1830e74f17

    SHA512

    68b1a9b5244187d508a182866d1aa8745ee73eb6d2b6c4ab5c954b00e51910f741dd1a0dc3e456c65f984a1fc1ef1e5a2b6da73d77b2b311c41ffd2a32ca6600

    Download Submit
  • C:\Users\Public\OAP\Microsoft.vbs
    MD5

    d49fe88c24fa3082693cefa7cab09178

    SHA1

    78930a721e3d515b23a4db013919831d60394c6e

    SHA256

    f7c47384a5bda0a0235a0807b22e2ca09b96ab4a488f7538ea9f7bcdfe970c47

    SHA512

    0215756f8f112158fbdf2af9b60d32486e082a59282552e3912deee889994adfeee683fc55431d338a144abe679b20e79652beae1f9c191dd5750c05a028bb86

    Download Submit
  • memory/1192-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2084-11-0x000000000040B5CE-mapping.dmp
    Download
  • memory/2084-10-0x0000000000400000-0x0000000000410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2084-12-0x0000000073AD0000-0x00000000741BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2084-15-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2084-16-0x0000000006250000-0x0000000006251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2084-17-0x0000000005D50000-0x0000000005D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2176-6-0x00000298B5FF0000-0x00000298B5FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2176-7-0x00000298D03B0000-0x00000298D03B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2176-5-0x00007FFA6AFB0000-0x00007FFA6B99C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2176-9-0x00000298D0340000-0x00000298D0343000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2176-4-0x0000000000000000-mapping.dmp
    Download