asyncrat | d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

Analysis

max time kernel
149s
max time network
182s
platform
windows7_x64
resource
win7v20210408
submitted
17-07-2021 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ms.bin.exe
Size

1.0MB
MD5

dbbb611daf3abd47972ae4faf5d54c95
SHA1

1b33772f2acc9e6673a2922587b00db86f5fba01
SHA256

d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
SHA512

140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

Mutex_6SI8OkPnk

Attributes

aes_key
ZgOTIhSVzSTSosv4ITYrzailHXWOHyEM
anti_detection
true
autorun
true
bdos
false
delay
SWARM-SHOP
host
null
hwid
20
install_file
install_folder
%AppData%
mutex
Mutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/VTByvKGM
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat

Executes dropped EXE 3 IoCs

Processes:

ASTRO-GREP.EXEASTROGREP_SETUP_V4.4.7.EXEastro-grep.exe

pid process

1232 ASTRO-GREP.EXE
1468 ASTROGREP_SETUP_V4.4.7.EXE
1964 astro-grep.exe
Loads dropped DLL 6 IoCs

Processes:

ms.bin.exeASTROGREP_SETUP_V4.4.7.EXEcmd.exe

pid process

1924 ms.bin.exe
1924 ms.bin.exe
1468 ASTROGREP_SETUP_V4.4.7.EXE
1468 ASTROGREP_SETUP_V4.4.7.EXE
1468 ASTROGREP_SETUP_V4.4.7.EXE
628 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1232	ASTRO-GREP.EXE
1468	ASTROGREP_SETUP_V4.4.7.EXE
1964	astro-grep.exe

pid	process
1924	ms.bin.exe
1924	ms.bin.exe
1468	ASTROGREP_SETUP_V4.4.7.EXE
1468	ASTROGREP_SETUP_V4.4.7.EXE
1468	ASTROGREP_SETUP_V4.4.7.EXE
628	cmd.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1180 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1740 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ASTRO-GREP.EXE

pid process

1232 ASTRO-GREP.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ASTROGREP_SETUP_V4.4.7.EXE

pid process

1468 ASTROGREP_SETUP_V4.4.7.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ASTRO-GREP.EXEastro-grep.exe

description pid process

Token: SeDebugPrivilege 1232 ASTRO-GREP.EXE
Token: SeDebugPrivilege 1964 astro-grep.exe

pid	process
1180	schtasks.exe

pid	process
1740	timeout.exe

pid	process
1232	ASTRO-GREP.EXE

pid	process
1468	ASTROGREP_SETUP_V4.4.7.EXE

description	pid	process
Token: SeDebugPrivilege	1232	ASTRO-GREP.EXE
Token: SeDebugPrivilege	1964	astro-grep.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

ms.bin.exeASTRO-GREP.EXEcmd.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 1232	1924	ms.bin.exe	ASTRO-GREP.EXE
PID 1924 wrote to memory of 1232	1924	ms.bin.exe	ASTRO-GREP.EXE
PID 1924 wrote to memory of 1232	1924	ms.bin.exe	ASTRO-GREP.EXE
PID 1924 wrote to memory of 1232	1924	ms.bin.exe	ASTRO-GREP.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1924 wrote to memory of 1468	1924	ms.bin.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1232 wrote to memory of 1396	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 1396	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 1396	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 1396	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 628	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 628	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 628	1232	ASTRO-GREP.EXE	cmd.exe
PID 1232 wrote to memory of 628	1232	ASTRO-GREP.EXE	cmd.exe
PID 1396 wrote to memory of 1180	1396	cmd.exe	schtasks.exe
PID 1396 wrote to memory of 1180	1396	cmd.exe	schtasks.exe
PID 1396 wrote to memory of 1180	1396	cmd.exe	schtasks.exe
PID 1396 wrote to memory of 1180	1396	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1740	628	cmd.exe	timeout.exe
PID 628 wrote to memory of 1740	628	cmd.exe	timeout.exe
PID 628 wrote to memory of 1740	628	cmd.exe	timeout.exe
PID 628 wrote to memory of 1740	628	cmd.exe	timeout.exe
PID 628 wrote to memory of 1964	628	cmd.exe	astro-grep.exe
PID 628 wrote to memory of 1964	628	cmd.exe	astro-grep.exe
PID 628 wrote to memory of 1964	628	cmd.exe	astro-grep.exe
PID 628 wrote to memory of 1964	628	cmd.exe	astro-grep.exe

C:\Users\Admin\AppData\Local\Temp\ms.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ms.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"'
4⤵
- Creates scheduled task(s)
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1740

C:\Users\Admin\AppData\Roaming\astro-grep.exe
"C:\Users\Admin\AppData\Roaming\astro-grep.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.bat
MD5
6a8f623c1c3c958c29e0f726a1d1a977

SHA1
ef4abc522a8291bc01f34abda73537321eb6a942

SHA256
ffc5348a2bbb60fe64d853ab772ea451430cfe703dcad6f8bc3e964a81383792

SHA512
b62bdfa283af23dddaa2f9d9bd626897e1d2dc5b86c277767e6110bf3624605163a6adb66efca04e5bd6232ffe3c21fe3ebd261d14f5ab0492bf0242c50bcc82

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
\Users\Admin\AppData\Local\Temp\nssD47F.tmp\LangDLL.dll
MD5
91d5e21907e4baff0145339311abf9d9

SHA1
f867d8529d4f3704cd4f475b46699b66cb6c2002

SHA256
acde373cc4916be5df3d239ab67f5980c333e979f34965ee733e7c6259586e9b

SHA512
339e35b89f2ac7d2fbe9dfd9a55279d20463f7c298332810c0ebaa5de95e09657f4b2837904ae16a8743c4c7abf7f3c7581099bc94312c178a21783288790401

Download Submit
\Users\Admin\AppData\Local\Temp\nssD47F.tmp\System.dll
MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
\Users\Admin\AppData\Local\Temp\nssD47F.tmp\nsDialogs.dll
MD5
70d4c5f9acc5ddf934b73fa311ade7d8

SHA1
6962e84782b0e1fe798cdce1d7447211228ca85b

SHA256
02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee

SHA512
40189b463173cbbad9c5101f37b4a37d970e9cd8e6f3d343cb8e54c54bdc7fdc3cfa8d7d7e7b7b0241c68768607c523be2c2c21b7efc727257731e1c5d1673fc

Download Submit
\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
memory/628-78-0x0000000000000000-mapping.dmp

Download
memory/1180-79-0x0000000000000000-mapping.dmp

Download
memory/1232-71-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1232-76-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1232-62-0x0000000000000000-mapping.dmp

Download
memory/1396-77-0x0000000000000000-mapping.dmp

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1740-81-0x0000000000000000-mapping.dmp

Download
memory/1924-60-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1964-84-0x0000000000000000-mapping.dmp

Download
memory/1964-86-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1964-89-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download