asyncrat | a1c7157e3d321dc5966c65601335e053edb2c4a1e6cf4f1f678b974a4f2dbf26

Analysis

max time kernel
147s
max time network
161s
platform
windows10_x64
resource
win10v20210410
submitted
20-07-2021 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Size

841KB
MD5

7ef40963a365cadbbc01e789477f9e6a
SHA1

df6e734860b53d92611fc32fd353a8df4aa19cd8
SHA256

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772
SHA512

505e784ec07b5e29f975ac016495a607713f6c1cf6a2d9c6e380873943dd3d64f0ec950cf5f8569a0cef69b88d1cfce1642cdb16a9d989a510e024c2494a2e01

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

akconsult.linkpc.net:9872

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
jbg9dRIOq1AGzwl8xmtPqGvO9dgNJ3ut
anti_detection
false
autorun
false
bdos
false
delay
Default
host
akconsult.linkpc.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
9872
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral25/memory/2576-140-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral25/memory/2576-141-0x000000000040C74E-mapping.dmp	asyncrat

Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 928 set thread context of 2576 928 MSBuild.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs	MSBuild.exe

description	pid	process	target process
PID 928 set thread context of 2576	928	MSBuild.exe	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WScript.exeMSBuild.execsc.exe

description	pid	process	target process
PID 2192 wrote to memory of 928	2192	WScript.exe	MSBuild.exe
PID 2192 wrote to memory of 928	2192	WScript.exe	MSBuild.exe
PID 2192 wrote to memory of 928	2192	WScript.exe	MSBuild.exe
PID 928 wrote to memory of 4092	928	MSBuild.exe	csc.exe
PID 928 wrote to memory of 4092	928	MSBuild.exe	csc.exe
PID 928 wrote to memory of 4092	928	MSBuild.exe	csc.exe
PID 4092 wrote to memory of 3960	4092	csc.exe	cvtres.exe
PID 4092 wrote to memory of 3960	4092	csc.exe	cvtres.exe
PID 4092 wrote to memory of 3960	4092	csc.exe	cvtres.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe
PID 928 wrote to memory of 2576	928	MSBuild.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Public\Avast.xml
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01h03kav\01h03kav.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B88.tmp" "c:\Users\Admin\AppData\Local\Temp\01h03kav\CSCDB0C09D451B84374AE8EC31387EC42.TMP"
4⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01h03kav\01h03kav.dll
MD5
aeca19a542a71547299992b34d1818e4

SHA1
a8b2b1ccf8196fa5540fd4829bbce810d9d3b05a

SHA256
ccc4d2a156b94d00a2c8a02b6c77274f314e4ffb2e6fc61def63e2aad95dfb5d

SHA512
023ee94b22c36d43b9bda9c0415698db45f1a046e88a9f27cd4f8f2888bf1fc5277ca4dcf7d47cb12731cd52bcf493e6f26ed71918f33654d9f1a6e7bb7a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\01h03kav\01h03kav.pdb
MD5
ec5243263e9d4af993f5ecd825f64cb0

SHA1
92edf8def53bbd77d7f05f5b1990ca621b73406a

SHA256
4eecd3d5dc9216e8ab783f9350b414c82b5b24dc4cf9c9618815656bd87ae260

SHA512
e2079e06293ca5a63e0cd7448281fd2f1432e3516d7e7485bb11e61a9ff80db264cb4ce0ec13e2773ee951307af07f36608331716ed0a29ef3cc792b113e30ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B88.tmp
MD5
bfa26e69ab4a77df1342503a1c60c5d9

SHA1
8eb3188a11c8cc329ac1f2f709c30cd032fe528b

SHA256
ca67b315ef239e49f6a0c47c7847d6c9b4602e202790aace01504eb274822701

SHA512
b638ae49cc062c8e5a5a1ce8c5f57981a9a3c50c7d8eb8a4e44a97cc48f9999e00e4e29abbbda5f1eb29357912fdce5a5f38e33de6b7af02b9663d1324640d8c

Download Submit
C:\Users\Public\Avast.xml
MD5
34caa2941ff3b4fa2f405e812c1fdaf5

SHA1
54254bc40b8cad04a4d15d445455f85763519d79

SHA256
6e5735e27b99106d231b14d273e28cbbb21612a1018db90abb752a6d4fe2fa26

SHA512
346e07d22334da5f10aaed86d98fb765769b5a24812e95de675fabf52671c3c081919d669688547c64f4e3c71916c4a60ff6a241421a1e9d25a552ffffbc9386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\01h03kav\01h03kav.0.cs
MD5
1c0b791c7389870b8f9dd05767a44561

SHA1
35c1c2ecedb0e0e948e79e1f04c7af804acc3b21

SHA256
d46f4dc57accb0914ba1c4607603c74872a0dfc80d13e39690beb5c61c403604

SHA512
2bbde078531e24cda4699fcf90a00bc9c97c536f60d94cfcec5f99b0d573f516b1b958bc13a7f7c38a6cfb9192b5c140259a767dffc179981c1ea99899fe2354

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\01h03kav\01h03kav.cmdline
MD5
5fcff331d2de892419c94e4832aa8203

SHA1
27972c733662fae7774162d0dac5cbd0abf6eeda

SHA256
8afb9f71496b91f59356aa55b05d86163141c3c7af4835af7aa72e541de12d25

SHA512
9055edaeb0e271749cc3e6bfe40b3c4a158c132647780c1fe2f5687d504186dcaa7fcb2e1aeb30c426cedd9e57148e6cd4c0b9c4d75b09251824c3d1983b0a5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\01h03kav\CSCDB0C09D451B84374AE8EC31387EC42.TMP
MD5
935c46efe799430b13104b4a7d442785

SHA1
4aa9dd9e2ea5db56a406d8d2e88cd0426b56b0d5

SHA256
0a9c4fdac71b0eb4ab45ff5e49a2d31b42496261b005f8f07a15abc055913d00

SHA512
17b98f569984212193fba78361e12d873583695d63f3a725cc7392b8fe47e2e90f4094c679d6c200a8a40f2416573becd57f7d8946ee6676b690941e39046771

Download Submit
memory/928-136-0x0000000005D70000-0x0000000005D79000-memory.dmp

Filesize
36KB

Download
memory/928-117-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/928-126-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/928-127-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/928-139-0x0000000005DA0000-0x0000000005DA5000-memory.dmp

Filesize
20KB

Download
memory/928-121-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/928-114-0x0000000000000000-mapping.dmp

Download
memory/928-137-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/928-119-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/928-123-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/928-116-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/928-115-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/928-118-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2576-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2576-141-0x000000000040C74E-mapping.dmp

Download
memory/2576-144-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3960-131-0x0000000000000000-mapping.dmp

Download
memory/4092-128-0x0000000000000000-mapping.dmp

Download