asyncrat | 4c4940488f9f3281b8cf4e88d400d4b18285addc198021cbc7dc990b4ab10aa7

General

Target

stuff.ps1
Size

188KB
MD5

8254ae9b0d6365640abaf15d2d74a4ab
SHA1

072d72634d8ddfe16e8065822797d61e8f2cf6a1
SHA256

4c4940488f9f3281b8cf4e88d400d4b18285addc198021cbc7dc990b4ab10aa7
SHA512

c84f06d269a0abfb5cff67a08b191468d7ba094830c994743e4f759eb6aba4d23de3f7290bd9cc2991ba01eca8c298734fe38397313f751456c111b72986f247

Score

10^/10

asyncrat 1 rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

anderione.com:5252

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	4408	powershell.exe

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4516-152-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4516-153-0x000000000040D04E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5048 set thread context of 4516 5048 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 5048 set thread context of 4516	5048	powershell.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2516	powershell.exe
2516	powershell.exe
244	powershell.exe
244	powershell.exe
2404	powershell.exe
2404	powershell.exe
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeIncreaseQuotaPrivilege	244	powershell.exe
Token: SeSecurityPrivilege	244	powershell.exe
Token: SeTakeOwnershipPrivilege	244	powershell.exe
Token: SeLoadDriverPrivilege	244	powershell.exe
Token: SeSystemProfilePrivilege	244	powershell.exe
Token: SeSystemtimePrivilege	244	powershell.exe
Token: SeProfSingleProcessPrivilege	244	powershell.exe
Token: SeIncBasePriorityPrivilege	244	powershell.exe
Token: SeCreatePagefilePrivilege	244	powershell.exe
Token: SeBackupPrivilege	244	powershell.exe
Token: SeRestorePrivilege	244	powershell.exe
Token: SeShutdownPrivilege	244	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeSystemEnvironmentPrivilege	244	powershell.exe
Token: SeRemoteShutdownPrivilege	244	powershell.exe
Token: SeUndockPrivilege	244	powershell.exe
Token: SeManageVolumePrivilege	244	powershell.exe
Token: 33	244	powershell.exe
Token: 34	244	powershell.exe
Token: 35	244	powershell.exe
Token: 36	244	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	244	powershell.exe
Token: SeSecurityPrivilege	244	powershell.exe
Token: SeTakeOwnershipPrivilege	244	powershell.exe
Token: SeLoadDriverPrivilege	244	powershell.exe
Token: SeSystemProfilePrivilege	244	powershell.exe
Token: SeSystemtimePrivilege	244	powershell.exe
Token: SeProfSingleProcessPrivilege	244	powershell.exe
Token: SeIncBasePriorityPrivilege	244	powershell.exe
Token: SeCreatePagefilePrivilege	244	powershell.exe
Token: SeBackupPrivilege	244	powershell.exe
Token: SeRestorePrivilege	244	powershell.exe
Token: SeShutdownPrivilege	244	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeSystemEnvironmentPrivilege	244	powershell.exe
Token: SeRemoteShutdownPrivilege	244	powershell.exe
Token: SeUndockPrivilege	244	powershell.exe
Token: SeManageVolumePrivilege	244	powershell.exe
Token: 33	244	powershell.exe
Token: 34	244	powershell.exe
Token: 35	244	powershell.exe
Token: 36	244	powershell.exe
Token: SeIncreaseQuotaPrivilege	244	powershell.exe
Token: SeSecurityPrivilege	244	powershell.exe
Token: SeTakeOwnershipPrivilege	244	powershell.exe
Token: SeLoadDriverPrivilege	244	powershell.exe
Token: SeSystemProfilePrivilege	244	powershell.exe
Token: SeSystemtimePrivilege	244	powershell.exe
Token: SeProfSingleProcessPrivilege	244	powershell.exe
Token: SeIncBasePriorityPrivilege	244	powershell.exe
Token: SeCreatePagefilePrivilege	244	powershell.exe
Token: SeBackupPrivilege	244	powershell.exe
Token: SeRestorePrivilege	244	powershell.exe
Token: SeShutdownPrivilege	244	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeSystemEnvironmentPrivilege	244	powershell.exe
Token: SeRemoteShutdownPrivilege	244	powershell.exe
Token: SeUndockPrivilege	244	powershell.exe
Token: SeManageVolumePrivilege	244	powershell.exe
Token: 33	244	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

powershell.exepowershell.exepowershell.execmd.exepowershell.exe

description	pid	process	target process
PID 2516 wrote to memory of 244	2516	powershell.exe	powershell.exe
PID 2516 wrote to memory of 244	2516	powershell.exe	powershell.exe
PID 244 wrote to memory of 4688	244	powershell.exe	WScript.exe
PID 244 wrote to memory of 4688	244	powershell.exe	WScript.exe
PID 2404 wrote to memory of 5076	2404	powershell.exe	cmd.exe
PID 2404 wrote to memory of 5076	2404	powershell.exe	cmd.exe
PID 5076 wrote to memory of 5048	5076	cmd.exe	powershell.exe
PID 5076 wrote to memory of 5048	5076	cmd.exe	powershell.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe
PID 5048 wrote to memory of 4516	5048	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\stuff.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbs"
3⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1'"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:4516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat
Filesize
127B

MD5
3a3621f698bddacf4a483b7937a526aa

SHA1
252877137fec36ff0aec26ae03fbe721cc2dd746

SHA256
2cebcb117d63f7a5501bdef860e12b2bb5a519f500ea2809e58a252fdd093d8e

SHA512
6981efe08adfda669f4eb18846561587cfb951a09528b2c25c4ac4eed9ccf986a80068aae1fa37b41fdc41b7a20c01f58492c552938bfe602a88e9d3dc317421

Download Submit
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1
Filesize
457B

MD5
04b8f8f8e92a78201fb9b5e64521205e

SHA1
31d89938dd38d6a0eb9c02ef2b1f39efa59cd01e

SHA256
15efeea6f8bd53fc9200d1cff9aa3d46a3acc62d99abca63664f5111fd380b71

SHA512
adbbb64db4d9dd43b146881882f60a6f105871876b617d8670cfd4eb127e47bed410d9bd1f37f61be8bbf63db26b9d1f1c32cd0ef3e4e22af4e4e62698e30a87

Download Submit
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbs
Filesize
1KB

MD5
6a2f7bf0fd50b778ccef1ae8f9e1d2aa

SHA1
6529b18bb3b9874f946f0e837b95dbe994dc4876

SHA256
0ebf7ec6a3e0c7d9fa00a53e7be74b9c9a4e122693bdceb57ded95825a3a945f

SHA512
d07779490f9a84d91d0f88abc65ea71e2f649295e0d4c0d83c863a3c32382b06e516dd6dbdc9262b6ea578cd3bc4ee0baf1bcbd93907613165e3283f8ca5e62c

Download Submit
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1
Filesize
184KB

MD5
b8425da2ff46f9b440037fb8edc93845

SHA1
59538af9cdfbb3ad1cc471113a9253d13b1bde8b

SHA256
f90c7331f3cec4cca6c7175c204cdf8d6465261d3736c2130852eff8ca60d86f

SHA512
be6bcd0ba44f953eb71682856cd73bd3cb7582619280252794db31f9830927854ea3d1516976925567cd99e3b727d0828b0a5c918a91ec925699f28271357674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
memory/244-130-0x00007FFA4A830000-0x00007FFA4B2F1000-memory.dmp

Filesize
10.8MB

Download
memory/244-132-0x000001B64AFB0000-0x000001B64AFB2000-memory.dmp

Filesize
8KB

Download
memory/244-133-0x000001B64AFB3000-0x000001B64AFB5000-memory.dmp

Filesize
8KB

Download
memory/244-131-0x000001B64AFB6000-0x000001B64AFB8000-memory.dmp

Filesize
8KB

Download
memory/244-129-0x0000000000000000-mapping.dmp

Download
memory/2404-140-0x0000023372D73000-0x0000023372D75000-memory.dmp

Filesize
8KB

Download
memory/2404-139-0x0000023372D70000-0x0000023372D72000-memory.dmp

Filesize
8KB

Download
memory/2404-137-0x00007FFA4A830000-0x00007FFA4B2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-138-0x0000023372D76000-0x0000023372D78000-memory.dmp

Filesize
8KB

Download
memory/2516-125-0x00007FFA4A830000-0x00007FFA4B2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-124-0x000001C47AA80000-0x000001C47AAA2000-memory.dmp

Filesize
136KB

Download
memory/2516-127-0x000001C478A03000-0x000001C478A05000-memory.dmp

Filesize
8KB

Download
memory/2516-128-0x000001C478A06000-0x000001C478A08000-memory.dmp

Filesize
8KB

Download
memory/2516-126-0x000001C478A00000-0x000001C478A02000-memory.dmp

Filesize
8KB

Download
memory/4516-158-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4516-156-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/4516-157-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4516-153-0x000000000040D04E-mapping.dmp

Download
memory/4516-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4688-135-0x0000000000000000-mapping.dmp

Download
memory/5048-143-0x0000000000000000-mapping.dmp

Download
memory/5048-147-0x0000023BFE650000-0x0000023BFE652000-memory.dmp

Filesize
8KB

Download
memory/5048-149-0x0000023BFE656000-0x0000023BFE658000-memory.dmp

Filesize
8KB

Download
memory/5048-148-0x0000023BFE653000-0x0000023BFE655000-memory.dmp

Filesize
8KB

Download
memory/5048-146-0x00007FFA4A830000-0x00007FFA4B2F1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-145-0x0000023BE6440000-0x0000023BE645A000-memory.dmp

Filesize
104KB

Download
memory/5076-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads