asyncrat | 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
17-07-2021 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

astro-grep-setup.exe.doc
Size

1.4MB
MD5

9c3d3679ea84ff9bf67bf8c7aa2afc48
SHA1

0470d616e8918ef03098741bf7fb0b313bb8aaea
SHA256

2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
SHA512

6896ad9abbbaa7760825d40086270f649a82a1291798173764e20deb7a5ef7a2f4070e247f27210f77341d70b6ed7215fa72a1711210610b428fcce39006af53

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

Mutex_6SI8OkPnk

Attributes

aes_key
ZgOTIhSVzSTSosv4ITYrzailHXWOHyEM
anti_detection
true
autorun
true
bdos
false
delay
SWARM-SHOP
host
null
hwid
20
install_file
install_folder
%AppData%
mutex
Mutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/VTByvKGM
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\Memsys\ms.exe	asyncrat
C:\ProgramData\Memsys\ms.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat

Executes dropped EXE 4 IoCs

Processes:

ms.exeASTRO-GREP.EXEASTROGREP_SETUP_V4.4.7.EXEastro-grep.exe

pid process

3636 ms.exe
1328 ASTRO-GREP.EXE
3312 ASTROGREP_SETUP_V4.4.7.EXE
200 astro-grep.exe
Loads dropped DLL 4 IoCs

Processes:

ASTROGREP_SETUP_V4.4.7.EXE

pid process

3312 ASTROGREP_SETUP_V4.4.7.EXE
3312 ASTROGREP_SETUP_V4.4.7.EXE
3312 ASTROGREP_SETUP_V4.4.7.EXE
3312 ASTROGREP_SETUP_V4.4.7.EXE
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3636	ms.exe
1328	ASTRO-GREP.EXE
3312	ASTROGREP_SETUP_V4.4.7.EXE
200	astro-grep.exe

pid	process
3312	ASTROGREP_SETUP_V4.4.7.EXE
3312	ASTROGREP_SETUP_V4.4.7.EXE
3312	ASTROGREP_SETUP_V4.4.7.EXE
3312	ASTROGREP_SETUP_V4.4.7.EXE

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\Memsys\ms.exe	nsis_installer_2
C:\ProgramData\Memsys\ms.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2160 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2220 timeout.exe

pid	process
2160	schtasks.exe

pid	process
2220	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3716 WINWORD.EXE
3716 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

ASTRO-GREP.EXE

pid	process
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE
1328	ASTRO-GREP.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ASTRO-GREP.EXEastro-grep.exe

description pid process

Token: SeDebugPrivilege 1328 ASTRO-GREP.EXE
Token: SeDebugPrivilege 200 astro-grep.exe

description	pid	process
Token: SeDebugPrivilege	1328	ASTRO-GREP.EXE
Token: SeDebugPrivilege	200	astro-grep.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXE

pid	process
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE
3716	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WINWORD.EXEms.exeASTRO-GREP.EXEcmd.execmd.exe

description	pid	process	target process
PID 3716 wrote to memory of 3636	3716	WINWORD.EXE	ms.exe
PID 3716 wrote to memory of 3636	3716	WINWORD.EXE	ms.exe
PID 3716 wrote to memory of 3636	3716	WINWORD.EXE	ms.exe
PID 3636 wrote to memory of 1328	3636	ms.exe	ASTRO-GREP.EXE
PID 3636 wrote to memory of 1328	3636	ms.exe	ASTRO-GREP.EXE
PID 3636 wrote to memory of 1328	3636	ms.exe	ASTRO-GREP.EXE
PID 3636 wrote to memory of 3312	3636	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 3636 wrote to memory of 3312	3636	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 3636 wrote to memory of 3312	3636	ms.exe	ASTROGREP_SETUP_V4.4.7.EXE
PID 1328 wrote to memory of 2760	1328	ASTRO-GREP.EXE	cmd.exe
PID 1328 wrote to memory of 2760	1328	ASTRO-GREP.EXE	cmd.exe
PID 1328 wrote to memory of 2760	1328	ASTRO-GREP.EXE	cmd.exe
PID 1328 wrote to memory of 2096	1328	ASTRO-GREP.EXE	cmd.exe
PID 1328 wrote to memory of 2096	1328	ASTRO-GREP.EXE	cmd.exe
PID 1328 wrote to memory of 2096	1328	ASTRO-GREP.EXE	cmd.exe
PID 2760 wrote to memory of 2160	2760	cmd.exe	schtasks.exe
PID 2760 wrote to memory of 2160	2760	cmd.exe	schtasks.exe
PID 2760 wrote to memory of 2160	2760	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 2220	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2220	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2220	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 200	2096	cmd.exe	astro-grep.exe
PID 2096 wrote to memory of 200	2096	cmd.exe	astro-grep.exe
PID 2096 wrote to memory of 200	2096	cmd.exe	astro-grep.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\astro-grep-setup.exe.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716

C:\ProgramData\Memsys\ms.exe
C:\ProgramData\Memsys\ms.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"'
5⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp16F4.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2220

C:\Users\Admin\AppData\Roaming\astro-grep.exe
"C:\Users\Admin\AppData\Roaming\astro-grep.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
"C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Memsys\ms.exe
MD5
dbbb611daf3abd47972ae4faf5d54c95

SHA1
1b33772f2acc9e6673a2922587b00db86f5fba01

SHA256
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

SHA512
140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Download Submit
C:\ProgramData\Memsys\ms.exe
MD5
dbbb611daf3abd47972ae4faf5d54c95

SHA1
1b33772f2acc9e6673a2922587b00db86f5fba01

SHA256
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c

SHA512
140b2d0d6ac049943f5f2c8e3bfa7ca1ad773b0878cf92f825baa2769930d068b6b2601786f94f40daf15f199b2cb9b6ce6c016130025e5f04a103ee78b06bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\astro-grep.exe.log
MD5
282bbb346a5e9fd3d95b068df4a05c6a

SHA1
2f73aa5e901989e86790087fd63f4ad812f96966

SHA256
66ba8abe1de0b4ae42a793a34e04dc4181ff8591b8f55067d4be53a241716fb5

SHA512
bc266e28d4dfd4cc9e2fcf532fd3cc79b686746eb08ea1a8859969030da8df820fa9261084e3738444099a83aebd0f857c42d8e37ce4fb04b8a1ca18664326f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.EXE
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASTROGREP_SETUP_V4.4.7.EXE
MD5
a708211241313feaf9621e571631534d

SHA1
9f398e0cc5b2b5162d5f27a6653709f836d02998

SHA256
5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423

SHA512
8e2fa5f33e16879d8f5acb4ab783aa4b4b37266cd1346abef5d54f2dfeb2177af872575780e2e7cd02e462349b1c35642c0f7ba3f860034775a064e9a07b08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16F4.tmp.bat
MD5
78462dfd884bf7a74a6d9e780e055d90

SHA1
59069439cdcd78b0b308123b8f60efc870db79f1

SHA256
32627f4a79703e1b1a3c378f8d3b0dc1059c53bafbc12e8c48bc397e93e32ed5

SHA512
8cdfded60b82fbe11be7429b443c2f26faa43e6ab1ba4b61be74eb666bfab8421d8ce507b2f24e75f44421358f8501ccc29cc1b8012a7919924bfce7d59cf029

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB491.tmp\LangDLL.dll
MD5
91d5e21907e4baff0145339311abf9d9

SHA1
f867d8529d4f3704cd4f475b46699b66cb6c2002

SHA256
acde373cc4916be5df3d239ab67f5980c333e979f34965ee733e7c6259586e9b

SHA512
339e35b89f2ac7d2fbe9dfd9a55279d20463f7c298332810c0ebaa5de95e09657f4b2837904ae16a8743c4c7abf7f3c7581099bc94312c178a21783288790401

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB491.tmp\System.dll
MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB491.tmp\System.dll
MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB491.tmp\nsDialogs.dll
MD5
70d4c5f9acc5ddf934b73fa311ade7d8

SHA1
6962e84782b0e1fe798cdce1d7447211228ca85b

SHA256
02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee

SHA512
40189b463173cbbad9c5101f37b4a37d970e9cd8e6f3d343cb8e54c54bdc7fdc3cfa8d7d7e7b7b0241c68768607c523be2c2c21b7efc727257731e1c5d1673fc

Download Submit
memory/200-333-0x0000000000000000-mapping.dmp

Download
memory/200-339-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1328-326-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1328-297-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1328-288-0x0000000000000000-mapping.dmp

Download
memory/1328-325-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1328-327-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2096-329-0x0000000000000000-mapping.dmp

Download
memory/2160-331-0x0000000000000000-mapping.dmp

Download
memory/2220-332-0x0000000000000000-mapping.dmp

Download
memory/2760-328-0x0000000000000000-mapping.dmp

Download
memory/3312-324-0x0000000003291000-0x0000000003293000-memory.dmp

Filesize
8KB

Download
memory/3312-290-0x0000000000000000-mapping.dmp

Download
memory/3636-285-0x0000000000000000-mapping.dmp

Download
memory/3716-123-0x00007FF9E80A0000-0x00007FF9E9F95000-memory.dmp

Filesize
31.0MB

Download
memory/3716-122-0x00007FF9E9FA0000-0x00007FF9EB08E000-memory.dmp

Filesize
16.9MB

Download
memory/3716-421-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-118-0x00007FF9F03B0000-0x00007FF9F2ED3000-memory.dmp

Filesize
43.1MB

Download
memory/3716-117-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-116-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-115-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-114-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-419-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-420-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-422-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3716-119-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download