asyncrat | e3bb74650d18fcefe9eb26f27fc72f2d68798d7f818ae40b861d9202054a544a

General

Target

1798_.jpg.ps1
Size

262KB
MD5

3bb7a462c0fbde3ad0466454a3b31597
SHA1

c182f5bd9c742997e336468664193edbb13f69e5
SHA256

e3bb74650d18fcefe9eb26f27fc72f2d68798d7f818ae40b861d9202054a544a
SHA512

e919dddb57d989e8fcffa79233bbc9cdfe8d62b144d84750b554fc40e324476cde72161ae61fea0926765cdd67f215c2904818d905e5fcb224353f596c88624c

Score

10^/10

asyncrat zain-work rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ZAIN-WORK

C2

2pop.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/668-135-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/668-136-0x000000000040C6AE-mapping.dmp	asyncrat
behavioral2/memory/668-142-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/668-143-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2360 set thread context of 668 2360 powershell.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exe

pid process

2360 powershell.exe
2360 powershell.exe
2360 powershell.exe
2360 powershell.exe
2360 powershell.exe
2360 powershell.exe
2360 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 2360 powershell.exe
Token: SeDebugPrivilege 668 aspnet_compiler.exe

description	pid	process	target process
PID 2360 set thread context of 668	2360	powershell.exe	aspnet_compiler.exe

pid	process
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	668	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2360 wrote to memory of 1200	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1200	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 1200	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 3252	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 3252	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 3252	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe
PID 2360 wrote to memory of 668	2360	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1798_.jpg.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/668-148-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/668-147-0x0000000005A40000-0x0000000005F3E000-memory.dmp

Filesize
5.0MB

Download
memory/668-146-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/668-145-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/668-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/668-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/668-136-0x000000000040C6AE-mapping.dmp

Download
memory/2360-121-0x00000177F91C3000-0x00000177F91C5000-memory.dmp

Filesize
8KB

Download
memory/2360-141-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-125-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-126-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-127-0x00000177F9110000-0x00000177F9186000-memory.dmp

Filesize
472KB

Download
memory/2360-128-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-130-0x00000177F8C20000-0x00000177F8C32000-memory.dmp

Filesize
72KB

Download
memory/2360-123-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-122-0x00000177F8AE0000-0x00000177F8B02000-memory.dmp

Filesize
136KB

Download
memory/2360-124-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-115-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-120-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-144-0x00000177F91C6000-0x00000177F91C8000-memory.dmp

Filesize
8KB

Download
memory/2360-119-0x00000177F91C0000-0x00000177F91C2000-memory.dmp

Filesize
8KB

Download
memory/2360-118-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-116-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download
memory/2360-117-0x00000177F7050000-0x00000177F7052000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing