Friday, November 17, 2023

Quick sample analysis which ended up dropping asyncrat

 I came across a sample that involving traffic to 91.92.242.28:222.

There is sandbox report here: https://tria.ge/231113-v9lgtaec41

I only looked at it because it involved so many files.

This is very quick and lazy analysis. I didn't spend time decompiling .NET.

At the time of analysis, the page has open directory.

There is a script and .jpg file which is a zip file.


Script downloads zip and extracts it to Public folder and initially starts f1.vbs file.

Zip files has several files:


f1.vbs ends up launching f1.bat


f1.bat ends up launching powershell and f1.ps1


Powershell sets up a scheduled task to launch tron.vbs


tron.vbs launches tron.bat


tron.bat launches tron.ps1


This is where things are kinda interesting (relative to all the stuff above...)

Powershell has functions to decode/deofuscate the other files


If we look at runpe and msg file, which the script next loads, it's pretty easy to see partial MZ header



Next it loads text from files for execution




It would finally run this:

$Coment is runpe.txt data and $JR is msg.txt data.

$u = [Reflection.Assembly]

$u::Load($Coment).GetType(NewPE2.PE).GetMethod(Execute).Invoke($null,[object[]] (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,$null,$JR,$true))

https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=net-7.0 


I saved the PE files after they were decoded/deobfuscated. 

msg was asyncrat

https://www.virustotal.com/gui/file/a11cc3de26de3241be5f24c8c0d3e44b16e4fee35b8a306026e86590ccd8a0c1?nocache=1

runpe was injector

https://www.virustotal.com/gui/file/a550a06a66009040462411867fce966b24499290d08bac8b3596f715cd5c6596?nocache=1


So many files and so much execution just to drop asyncrat.