Analysis
-
max time kernel
86s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 12:26
Static task
static1
Behavioral task
behavioral1
Sample
mevlbkxshp.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
mevlbkxshp.ps1
Resource
win10v2004-20220414-en
General
-
Target
mevlbkxshp.ps1
-
Size
119KB
-
MD5
cc55cf5d17726a6137c51fecff65659f
-
SHA1
039339bd25e0a3a6183d1c848007377f939eeb04
-
SHA256
2d97a2fb3bb70289266079670be42efa882a361e922dee6a109884222b3336d6
-
SHA512
8df91c615f07b9b722616a4e43a6869ce701d4eb82be43c2e7eaee43845f5b61e657c918d741d65459b7fe9c96ebde4ff6811398f1e63e57d205e9411bfb905a
Malware Config
Extracted
asyncrat
1.0.7
Default
rick63.publicvm.com:5900
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/2256-144-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2256-145-0x000000000040CBCE-mapping.dmp asyncrat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftOutlookLauncher.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 924 set thread context of 2256 924 powershell.exe 81 -
Delays execution with timeout.exe 1 IoCs
pid Process 4716 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 924 powershell.exe 924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 2256 RegSvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 924 wrote to memory of 1148 924 powershell.exe 79 PID 924 wrote to memory of 1148 924 powershell.exe 79 PID 1148 wrote to memory of 4044 1148 csc.exe 80 PID 1148 wrote to memory of 4044 1148 csc.exe 80 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 924 wrote to memory of 2256 924 powershell.exe 81 PID 2256 wrote to memory of 4016 2256 RegSvcs.exe 83 PID 2256 wrote to memory of 4016 2256 RegSvcs.exe 83 PID 2256 wrote to memory of 4016 2256 RegSvcs.exe 83 PID 4016 wrote to memory of 4716 4016 cmd.exe 85 PID 4016 wrote to memory of 4716 4016 cmd.exe 85 PID 4016 wrote to memory of 4716 4016 cmd.exe 85
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\mevlbkxshp.ps11⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4ilfja1\r4ilfja1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES743.tmp" "c:\Users\Admin\AppData\Local\Temp\r4ilfja1\CSC699E1115E2D447618342C435251A2B6D.TMP"3⤵PID:4044
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp73C8.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4716
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a347d6c168f3ea452eee917c5fa4a950
SHA1de5f14849966e647daf694fbc399747450b1cdf0
SHA2567553b23ff2f50a38a6d92c7e72ad1bd62de6ab5a477961f95e6d8eb24112f844
SHA5122298218d918de8d5bf62e1bf96aad14861e70ea157ecf2c333c995571da857f28bf804bba4859b74c15d001d43c2d8c3b33d92e6ae533303b019b4d50a0d289c
-
Filesize
11KB
MD580b37573961e550d60ee942111344237
SHA18b292a6193553975360dd5f1a9f0fe391ada97b7
SHA2560c29475d326a3fa39b259a73615b5cc8e31e7f0357c473b71febcb650ebb5f8c
SHA5129f7360e4c3f9fd56b2e9330980a4389f9b77a85456d048142fd7906c1ac94db77f4b094b0f0dadf2d150585d8b5dc28a94fd74acd84c80174cf5c94be5ea63d2
-
Filesize
171B
MD54e72b4f4789f4a27a593f6f1d1d7ea18
SHA1f6f0eb35ddccd50ae42a85903a05a5580af12d9f
SHA2568001b084c130cd69947ae3040dac50f0361c5f128fc3837bf313121d268950c7
SHA5129de032b3e3c018eba5315263a5d7d4bd35a5d606bfe836354194e6f99b89c419bcdc6c2233661068581f28dc030837b45ee3d2121f3aafa58ffb221e7146af1c
-
Filesize
652B
MD5a1c708bc12181dbce1ca47b125fb5300
SHA1251dbb5772868573317a0a9f09228d5601351ca3
SHA2568aa0f9c988b2869d811ad250a64eec9527693b7846fa2de1eb862148b31ba46d
SHA512ec8fa992f573e92f38a5f83bdd9c485801015a97075ae8f4a54d01aadf2d4e77522f8aa3a1d8437cc31d5e049dd8588d97678dce7ba670915806f32566dbff25
-
Filesize
14KB
MD55b28648a4e188b0ebdf2d5edcda61624
SHA1faf0ba6c2ef8d8184881eda8a276796449969e1c
SHA256e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1
SHA512972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937
-
Filesize
327B
MD58d856d017e00d244dfbf0c5fbc401d79
SHA1707dd486d60d940dc4ac7b206b38ddf9dbfa0ba1
SHA256ac1df2a38a2453df31083493f34668c9c8f2b46500137a092f7dbee4cec0d2d0
SHA512e24255044bcb495632ebdeb8294bcced9b0e9d968a7f98c86640006506a6941dad0778a164d891329a3f55372083ab8e8af45b9afe0b4c1a68bb4f69b83de591