Overview

overview

10

Static

static

1

test.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.vbs

  • Size

    633B

  • MD5

    8442b0a561a39e4d82b56835c5b666ef

  • SHA1

    f1e116a9e31e0b5e66be020bb75d0cd40d3a9840

  • SHA256

    e91990a5e2167c5d030656420a5cc77e10af179c43243da11a99e4286b0dcec3

  • SHA512

    c26b3785aba0147e166632023c83c6568811c9d74f5747a78f772f3b891faedc0731abcf29cda634cde265f8bb8699fccad775eff3b45f76c0c3a29fa694570c

Score
10/10
asyncratgdfjbxc9asdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

GDFjbxc9as

Mutex

Gx0edRwRzsDs0gzwQ

Attributes
  • delay

    1

  • install

    true

  • install_file

    GoogleUpdates.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/QLnQD5yh

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\Stub.exe
      "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        3⤵
        • Executes dropped EXE
        PID:5060
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4020
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4628
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
      1⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\Stub.exe
        "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Users\Admin\AppData\Local\Temp\Client.exe
          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
          3⤵
          • Executes dropped EXE
          PID:2280
    • C:\Users\Admin\AppData\Local\Temp\Stub.exe
      "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        2⤵
        • Executes dropped EXE
        PID:4528
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      1⤵
      • Executes dropped EXE
      PID:512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C
      Filesize

      280B

      MD5

      0b7b99955611742c57c24ed32a500ddb

      SHA1

      931a0915ccc82612eb494cd18a7e32b3f1815465

      SHA256

      e971e6fcead490fb5a6ea2b9f0c8b98d4a591e32d0a9d3537dde6241f7e357c4

      SHA512

      b320ac73bf895739a8c31031e525b766900e2b03948d452640d07dc8d19ced3de83d913588ab50cec692daa4cc9c858266db380b0073dfd9e0014e021f7d85cc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
      Filesize

      1KB

      MD5

      2b00dbae7c021b16f2cb7e9b739e11f6

      SHA1

      dc08a5103ba04fc9f5b933e062f635f0115c4e27

      SHA256

      5ab33ba8bc319d050ce7a705a98c1b8744fda821bbc72fb9f5f8b03f89288bf7

      SHA512

      60bafad64bdddd34240329500ead1bd6dd5c66dd0351109d36127a0d9edf13626649c6e5b8f6a063277a4b5b33603d972d6af3ac888a4b8c194c9a41522a2698

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
      Filesize

      980B

      MD5

      78062d01d408d39d1712cbf48d31786a

      SHA1

      02f1f15fcba5b486e64b907892bc1d699c9634f6

      SHA256

      d2a98ed2ffae3b7bd8b7608b040f49488e0d930dd9bf2eb2772deb9c884508ee

      SHA512

      5b4784b18560810dae50a67a7883778a97ad97f24ce762da78bdbca87972a0d63938d23d393fbd952f8623709c31e0e1b984e84d3ff1d8bb80d9e4adcf98a326

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
      Filesize

      471B

      MD5

      af60930ca766a633f85878d43f541fae

      SHA1

      925e89f5108e57d40bd4abc4a10eaca0401b0ac3

      SHA256

      d9d4ae14bfcd328b8b69ee1ef5c713e2a97ab55065ecfe3d35a6ce6cff58772a

      SHA512

      9e5bb65a515bd1c7701c81ba77b7fcabd9416a000d6cb4cb5de22f030111328e9ffd3712ffbc2070d82e836c921b78afae6b69ccd8ae7f3cdd1b8f2277d8610a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C
      Filesize

      480B

      MD5

      bbfe685cb0342e587d5431ada0021671

      SHA1

      54f45522ceac35479fec33791cb0abaa2aa7555f

      SHA256

      49ea40f86e687421a7ace79cceedd0d82be4065aed81495485e5c13eb8e44e14

      SHA512

      06f2b28b1821c43dbd005d4b60ad8b5c5b21118ee211bc8ce61085c2b475c04d69ad618232e3eb1846aa741e26e043f9c1bae9c12ea7704d41030a9323d92951

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
      Filesize

      482B

      MD5

      3a8709ae2fe9f7faa290afc764f69f0d

      SHA1

      0cb18e26420d8c94123d7d83258e1e80a926075c

      SHA256

      58a1678101c893fa02d3bcf0b9899daf7dd5f9871cdf3fa1c595b8a2d57617a9

      SHA512

      50e28092b475200384b57ed5c67e9d3628cf098909e4c791b0d4b023a1f688d2f5422cf8770b1d47fe90f644aad8ff11cfad8c6651aa6f50915c4d0be9175451

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
      Filesize

      480B

      MD5

      6b313f6fa815d51a94d7e8ef0743fd62

      SHA1

      b7ffc149b688c2a593e3471adbff4ab890e3b72a

      SHA256

      06544aa40fcb76682b641c554432fb2a2fea6ad63de0441d38fc5b7825fe2a9a

      SHA512

      29eacf770243ac22cdb26bed79413bcde77f31df1bd2c3989df7ac9b07a304cb4ece46ebe85e547efa43d2f900cf675d306e590b0f0a24935f4a422f93fe994f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
      Filesize

      412B

      MD5

      501e5ae116539f2c347247779a5821d3

      SHA1

      ca528c63a838f09dc517e7120fd8bf9722ee25b1

      SHA256

      6a58cf00d3c8fcfcc6f7fc7e54e3d8e666f82377193bc9a34a9877717cdf594d

      SHA512

      fa4cc9aa2c2b1256a4ffdba180ee38122568db70ab64f91beec5dad0687af62be4cdab6e216889a5ed05103f4f93b5ec7dce7d83bc5f76fad34e79350551812e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      Filesize

      48KB

      MD5

      3d5d9fcc50f0ee536db107a2bb181f2d

      SHA1

      5b05d924177a9adf852abefa4d0afa77082b8370

      SHA256

      febd0d25c9dcea243c4cd39dbf90178d970fbfd6305555291176aaa86bcfb391

      SHA512

      143f6ff7522c798802da4dce511a671a2f43ee2c1368a1bfb8455f181956bcb97e89bfe42a21b1b4d21814bea92fdbdfd423cdef5d6540f447da4a84d521ffb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stub.exe
      Filesize

      103KB

      MD5

      02075363168c82697c7726c175740b6e

      SHA1

      0adf648a0c0eb63cfa5dc2057feab117bc8ea0cd

      SHA256

      733abf5dda85c41d1ce08b60175da38c3b84fac864ad0c06e225530ac30332e1

      SHA512

      d381292bac696d0f95682264ce144e13f31bbe4d0dc34b5c277874278155768824c2bf14904f297e3aa9a321dd6790084129cb6c9e91d05ca318ee0d75e36094

      Download Submit

    • memory/2804-37-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2804-22-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3352-83-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4048-98-0x0000000000400000-0x000000000054D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4628-40-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-47-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-48-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-49-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-50-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-51-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-46-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-52-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-42-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4628-41-0x000001C994A10000-0x000001C994A11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5060-38-0x00000000006E0000-0x00000000006F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5060-39-0x00007FFA0F953000-0x00007FFA0F955000-memory.dmp

      Filesize

      8KB

      Download