Overview

overview

10

Static

static

1

powershell.bat

windows7-x64

10

powershell.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 01:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    powershell.bat

  • Size

    111KB

  • MD5

    03da5f58a0bdb43aaa8f2e33e041c3a4

  • SHA1

    131d67d49353814130e9dc8e292161a00989a9b0

  • SHA256

    f832991a5ecf5721f059ad2995b70ec91b1f818b2da49e52031a561a14f85eb1

  • SHA512

    49801fcfad32719d6158f565755e194760b7cd6b572c7fd16858ce4fb531b6242d881505bceee370b31f07fc8a8e63fceb67e989d3ddf6c9ca199a72f26c39e5

  • SSDEEP

    1536:zTEz4CNAz9vD/fajMlajScTrRaH49XEXNHXcX5XX/z85fPxDbqKj/2zbXg9xbUKn:sl++g8HzbXy

Score
10/10
asyncratrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\powershell.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\system32\certutil.exe
      certutil -decodehex temp.hex powershell.exe
      2⤵
        PID:4632
      • C:\Users\Admin\AppData\Local\Temp\powershell.exe
        powershell.exe
        2⤵
        • Executes dropped EXE
        PID:3764

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\powershell.exe
            Filesize

            50KB

            MD5

            50da1353367e1d1ff85bc8ff9ae0e380

            SHA1

            2761f558421f207bff9f20a4be0a7ff6bbfb813b

            SHA256

            dbb26483b24bc8db9e89bb9c31ee58b7f55bc1af4081cf63dea45da2c134cb3b

            SHA512

            93d958e452dac5f2c2a50ee3489b1589e088e5e95fad6bba2a6f80c162d6cb676ed7c283489b8af7b43adcc579841471ad22cb2a814d6d62a51672cf162c56b2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\temp.hex
            Filesize

            103KB

            MD5

            f1e67289db4a8c6374e2c25f6c4acf2d

            SHA1

            15f4b4f49440a6e391e1c9b3884278df70cc93ba

            SHA256

            df81f531a7d3dbee929f8e5bc59e89863d3ea4588658161e344f7f1e454734a5

            SHA512

            debd19b4b3749b5c558cccb5ab8c51604ca0d7d8eb2a5c43259cf433ebd27301218119189fc5c49d91b272cb9535bba73c57a96777abc5a2a752e3e0f11489f3

            Download Submit

          • memory/3764-7-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3764-6-0x0000000000230000-0x0000000000242000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3764-8-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3764-9-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

            Filesize

            10.8MB

            Download