asyncrat | 89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e

General

Target

mshta.exe
Size

304KB
MD5

b28ddf547716c0cdee99d4e5f261704d
SHA1

cef47d43a0809616fbdb980b7864b4cef8ed2943
SHA256

89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e
SHA512

c78e8c4b9d871e3df72f7ecdad2a179225df6887adc9db63746bbbc6fd7ae1d3cfdd5dcbde039790bbc84193a9f5eb8516df716d614a88181b8253c5c188c24b

Score

10^/10

asyncrat mshta rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

mshta

Mutex

mshta

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/tefSYKAL

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe	asyncrat
behavioral2/memory/1588-137-0x0000000000AC0000-0x0000000000AD2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

ElWebsite.exe

pid process

1588 ElWebsite.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation mshta.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4268 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

mshta.exe

pid process

2820 mshta.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mshta.exeElWebsite.exe

description pid process

Token: SeDebugPrivilege 2820 mshta.exe
Token: SeDebugPrivilege 1588 ElWebsite.exe

pid	process
1588	ElWebsite.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
4268	schtasks.exe

pid	process
2820	mshta.exe

description	pid	process
Token: SeDebugPrivilege	2820	mshta.exe
Token: SeDebugPrivilege	1588	ElWebsite.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

mshta.execmd.exe

description	pid	process	target process
PID 2820 wrote to memory of 1588	2820	mshta.exe	ElWebsite.exe
PID 2820 wrote to memory of 1588	2820	mshta.exe	ElWebsite.exe
PID 2820 wrote to memory of 5016	2820	mshta.exe	cmd.exe
PID 2820 wrote to memory of 5016	2820	mshta.exe	cmd.exe
PID 2820 wrote to memory of 5016	2820	mshta.exe	cmd.exe
PID 5016 wrote to memory of 4268	5016	cmd.exe	schtasks.exe
PID 5016 wrote to memory of 4268	5016	cmd.exe	schtasks.exe
PID 5016 wrote to memory of 4268	5016	cmd.exe	schtasks.exe
PID 2820 wrote to memory of 4380	2820	mshta.exe	cmd.exe
PID 2820 wrote to memory of 4380	2820	mshta.exe	cmd.exe
PID 2820 wrote to memory of 4380	2820	mshta.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
"C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mshta.exe" "C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe"
2⤵
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
Filesize
47KB

MD5
39fd56f4e5a67ccf23e627f371ca9a9f

SHA1
eb41ac2c14d71d48c3d64d3f2da62667cd97b799

SHA256
15f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc

SHA512
6976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
Filesize
47KB

MD5
39fd56f4e5a67ccf23e627f371ca9a9f

SHA1
eb41ac2c14d71d48c3d64d3f2da62667cd97b799

SHA256
15f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc

SHA512
6976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065

Download Submit
memory/1588-134-0x0000000000000000-mapping.dmp

Download
memory/1588-137-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1588-141-0x00007FF8786D0000-0x00007FF879191000-memory.dmp

Filesize
10.8MB

Download
memory/2820-130-0x0000000000D50000-0x0000000000DA2000-memory.dmp

Filesize
328KB

Download
memory/2820-131-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/2820-132-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/2820-133-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/4268-139-0x0000000000000000-mapping.dmp

Download
memory/4380-140-0x0000000000000000-mapping.dmp

Download
memory/5016-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads