asyncrat | a1c7157e3d321dc5966c65601335e053edb2c4a1e6cf4f1f678b974a4f2dbf26

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
20-07-2021 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Size

841KB
MD5

7ef40963a365cadbbc01e789477f9e6a
SHA1

df6e734860b53d92611fc32fd353a8df4aa19cd8
SHA256

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772
SHA512

505e784ec07b5e29f975ac016495a607713f6c1cf6a2d9c6e380873943dd3d64f0ec950cf5f8569a0cef69b88d1cfce1642cdb16a9d989a510e024c2494a2e01

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

akconsult.linkpc.net:9872

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
jbg9dRIOq1AGzwl8xmtPqGvO9dgNJ3ut
anti_detection
false
autorun
false
bdos
false
delay
Default
host
akconsult.linkpc.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
9872
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral24/memory/852-80-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral24/memory/852-81-0x000000000040C74E-mapping.dmp	asyncrat
behavioral24/memory/852-82-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 1364 set thread context of 852 1364 MSBuild.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs	MSBuild.exe

description	pid	process	target process
PID 1364 set thread context of 852	1364	MSBuild.exe	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exeMSBuild.execsc.exe

description	pid	process	target process
PID 480 wrote to memory of 1364	480	WScript.exe	MSBuild.exe
PID 480 wrote to memory of 1364	480	WScript.exe	MSBuild.exe
PID 480 wrote to memory of 1364	480	WScript.exe	MSBuild.exe
PID 480 wrote to memory of 1364	480	WScript.exe	MSBuild.exe
PID 1364 wrote to memory of 676	1364	MSBuild.exe	csc.exe
PID 1364 wrote to memory of 676	1364	MSBuild.exe	csc.exe
PID 1364 wrote to memory of 676	1364	MSBuild.exe	csc.exe
PID 1364 wrote to memory of 676	1364	MSBuild.exe	csc.exe
PID 676 wrote to memory of 1252	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 1252	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 1252	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 1252	676	csc.exe	cvtres.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe
PID 1364 wrote to memory of 852	1364	MSBuild.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Public\Avast.xml
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wygzjsld\wygzjsld.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28F4.tmp" "c:\Users\Admin\AppData\Local\Temp\wygzjsld\CSC2E86DEB673984D3793EDB09775F15688.TMP"
4⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES28F4.tmp
MD5
9b9a7519e242e0e337c868b377df120f

SHA1
928ab53d84fc6482d745d04239795826fbec3a1d

SHA256
446f0bfcba98339d5f87d11708faf6144e56147a48da224a6c64990b1a71bb9f

SHA512
d223eeca1aa27f1c296e9e78848af59840ba80d70c0030de1971c451b53acf9ca137a9a6ac37c054c683af597d221b3500ed643edcb5f2a897f1f587341dacc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygzjsld\wygzjsld.dll
MD5
4380ca1389d3305251946267e4ff7494

SHA1
52addf646be03728a42e64a71ee9cda51ed008d2

SHA256
0da58f65d5d4c88af30cc051f2ff39ecfd00dfe6a9cac20223e3fb0c0e1b5651

SHA512
4050c34d9d8efed9cebc9194a0f1f8a81a82f8826d7734be3355b8040972615deae632ba42da1051e21c7b1a1d264c4f5d875d0c3bfe07232022587b410a90e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wygzjsld\wygzjsld.pdb
MD5
c22e617acfd02f4bca22d256e4fd337d

SHA1
a838e8b119b99012dccc499af5c5251143583eb7

SHA256
d6b2b300d2d0be829a6671f56bdd2e3633b2d4e7ed8a7f09b01081df85641b52

SHA512
e5d2d6cc95d3874e98ba26216a8d190c05c8b2033c16aad90ca68c29bb6b9d1ecf5e05c36e6b5b017fef5ad706f1d0a93de0efbda6b889851dc4f2f96cde8f05

Download Submit
C:\Users\Public\Avast.xml
MD5
34caa2941ff3b4fa2f405e812c1fdaf5

SHA1
54254bc40b8cad04a4d15d445455f85763519d79

SHA256
6e5735e27b99106d231b14d273e28cbbb21612a1018db90abb752a6d4fe2fa26

SHA512
346e07d22334da5f10aaed86d98fb765769b5a24812e95de675fabf52671c3c081919d669688547c64f4e3c71916c4a60ff6a241421a1e9d25a552ffffbc9386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wygzjsld\CSC2E86DEB673984D3793EDB09775F15688.TMP
MD5
5cf43a9d8be74f98bdcc706b38b931c0

SHA1
fac91b8f76433b5cb9fa9c1bcdfef81c903562ef

SHA256
9a28c7f7145e41ea9c85634b1f22997e6922b4255aaa5f8ec3cd57cb58caf778

SHA512
84eea967716af533dacdc66f859a074e40d8d56f67a28b82bfa81ff4c4af0db8aed8ae6d35b9b691068174e35e1a22f8b4f1dd5d75c37570f5d94d45cb3e7d11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wygzjsld\wygzjsld.0.cs
MD5
1c0b791c7389870b8f9dd05767a44561

SHA1
35c1c2ecedb0e0e948e79e1f04c7af804acc3b21

SHA256
d46f4dc57accb0914ba1c4607603c74872a0dfc80d13e39690beb5c61c403604

SHA512
2bbde078531e24cda4699fcf90a00bc9c97c536f60d94cfcec5f99b0d573f516b1b958bc13a7f7c38a6cfb9192b5c140259a767dffc179981c1ea99899fe2354

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wygzjsld\wygzjsld.cmdline
MD5
84c3e184fb61a2409ea7929555fb7512

SHA1
2506f8fc1551f9529b8ced45e3271ac74cb93431

SHA256
2cee36546f1f024172d4d3910f06fd643854fd370a96e755d7a389bb9e73ea38

SHA512
56ea6737e2364a602b16a89c0df46a859b059921f6f9686a7d359fe04a905ab8bb3e7e9fc65d373dd7e05eb8c1adc7d79d60fb4711f90fc62dc0c34cf5e9ce5c

Download Submit
memory/676-69-0x0000000000000000-mapping.dmp

Download
memory/852-84-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/852-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-81-0x000000000040C74E-mapping.dmp

Download
memory/852-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-85-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1252-72-0x0000000000000000-mapping.dmp

Download
memory/1364-65-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1364-68-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1364-67-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/1364-66-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/1364-77-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/1364-78-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1364-79-0x0000000000640000-0x0000000000645000-memory.dmp

Filesize
20KB

Download
memory/1364-59-0x0000000000000000-mapping.dmp

Download
memory/1364-64-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1364-63-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1364-62-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/1364-60-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download