Overview

overview

10

Static

static

b.ps1

windows7-x64

10

b.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b.ps1

  • Size

    310KB

  • MD5

    220e9238b05cb802d63f7d79d11b2a32

  • SHA1

    77324ddee92b5ee1c2d50680ea15dd6e28ef402b

  • SHA256

    248d8893d926c765d168bd48211650094dbcf8a8988c448f3b271c41bec8ca9d

  • SHA512

    748f9149ceaa46789938d66a87dad5c92a9beea65a7c84c07fa42378fdee70b1340d777fcfc78efcd85254660fd4a858fe10bd83464564cde7b12c01ebbcdb7a

  • SSDEEP

    6144:bgkc0c/OjocmHEk4Oz7XzoUdd9qkcM1E1nvwmtPEeJDCiRO9jEYMJD:bgkc0c/OjocmH5XXEUdd97t2Vvwm1Ee3

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

XieBroRAT-1.7

Botnet

Default

C2

127.0.0.1:8880

8079048a.e2.luyouxia.net:8880
Mutex

gorousdwoqxqqq

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1500-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-55-0x000007FEF4310000-0x000007FEF4D33000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1500-56-0x000007FEF37B0000-0x000007FEF430D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1500-57-0x0000000002674000-0x0000000002677000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1500-58-0x000000000267B000-0x000000000269A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1500-59-0x000000001B6C0000-0x000000001B6D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1500-60-0x000000001B630000-0x000000001B645000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1500-61-0x0000000002674000-0x0000000002677000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1500-62-0x000000000267B000-0x000000000269A000-memory.dmp
    Filesize

    124KB

    Download