asyncrat | 070f3d73cf4c3b2c0cfbf7f1e3e8f7f659a61fafed1dcf75691b402e34f539e1

General

Target

Microsoft.ps1
Size

779KB
MD5

202491949283ca454f7a5ad9467d2c35
SHA1

ab57577bf573f33d61f279dcddbff424a2c4ba29
SHA256

070f3d73cf4c3b2c0cfbf7f1e3e8f7f659a61fafed1dcf75691b402e34f539e1
SHA512

9aac65a71ccc895b86ba115c3c899dbc7f88d153b925f03da72af10bb2dda3d014c15c9f5f333a6f18a13e5cf5f1334e95033b856c83aa19024ca5c4028cb4cc

Score

10^/10

asyncrat warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

5.206.224.194:3080

Extracted

Family

asyncrat

Version

0.5.7B

C2

14.191.50.101:8080

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
qyv1ismvAgNTQ98WMOnwHYsv8UB8SL5j
anti_detection
false
autorun
false
bdos
false
delay
Default
host
14.191.50.101
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
8080
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1328-146-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1328-147-0x000000000040C6EE-mapping.dmp	asyncrat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4056-136-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4056-137-0x0000000000405738-mapping.dmp	warzonerat
behavioral2/memory/4056-140-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3932 set thread context of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 set thread context of 1328	3932	powershell.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3932 powershell.exe
3932 powershell.exe
3932 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3932 powershell.exe

pid	process
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3932	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 4056	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe
PID 3932 wrote to memory of 1328	3932	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Microsoft.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-147-0x000000000040C6EE-mapping.dmp

Download
memory/1328-152-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1328-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3932-120-0x000001B5766D3000-0x000001B5766D5000-memory.dmp

Filesize
8KB

Download
memory/3932-121-0x000001B5786B0000-0x000001B5786B1000-memory.dmp

Filesize
4KB

Download
memory/3932-126-0x000001B578860000-0x000001B578861000-memory.dmp

Filesize
4KB

Download
memory/3932-131-0x000001B578800000-0x000001B57881F000-memory.dmp

Filesize
124KB

Download
memory/3932-119-0x000001B5766D0000-0x000001B5766D2000-memory.dmp

Filesize
8KB

Download
memory/3932-138-0x000001B5766C0000-0x000001B5766C1000-memory.dmp

Filesize
4KB

Download
memory/3932-139-0x000001B5766D6000-0x000001B5766D8000-memory.dmp

Filesize
8KB

Download
memory/3932-151-0x000001B578850000-0x000001B578851000-memory.dmp

Filesize
4KB

Download
memory/4056-137-0x0000000000405738-mapping.dmp

Download
memory/4056-140-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4056-136-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads