Overview

overview

10

Static

static

1

PMOy4QqKcU...PF.zip

windows7-x64

1

PMOy4QqKcU...PF.zip

windows10-2004-x64

1

1.bat

windows7-x64

1

1.bat

windows10-2004-x64

1

detonator.cmd

windows7-x64

4

detonator.cmd

windows10-2004-x64

7

dqjg.ps1

windows7-x64

1

dqjg.ps1

windows10-2004-x64

1

dqjg.vbs

windows7-x64

1

dqjg.vbs

windows10-2004-x64

3

th5rk551.uku.ps1

windows7-x64

1

th5rk551.uku.ps1

windows10-2004-x64

1

vuso.ps1

windows7-x64

1

vuso.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2023 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vuso.ps1

  • Size

    154KB

  • MD5

    07f743d7d5bff6f276abdf9c782e3f91

  • SHA1

    7dd2d5f5e1a7857b7173629139a7d1916b3977b2

  • SHA256

    3aa145e796c24355657a378a74fcde3edd401736b75ec6446c085f813069c5d9

  • SHA512

    357b9da6abf72319ddd7cd917e1deb36bf149c96388cfc7500c7cf0d321aba8dfcde8fb61f66e8128b5308330f27687d60d073b236a436994b33427ef60d2490

  • SSDEEP

    3072:xpNVyYnJt0WOUkX6U1O315T3Apmf+QIQG:xpmYnz03Uk2315T3Apmf+QI7

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

hognyusket.com:6606

hognyusket.com:7707

hognyusket.com:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\vuso.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1k3b0ehi.0rk.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1348-146-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1348-148-0x0000000005620000-0x0000000005630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1348-151-0x0000000005FE0000-0x000000000607C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1348-152-0x0000000006630000-0x0000000006BD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1348-153-0x00000000060F0000-0x0000000006156000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1348-154-0x0000000005620000-0x0000000005630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-142-0x0000021073550000-0x0000021073572000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5060-143-0x0000021058DF0000-0x0000021058E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-145-0x0000021058DF0000-0x0000021058E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-144-0x0000021058DF0000-0x0000021058E00000-memory.dmp

    Filesize

    64KB

    Download