asyncrat | ead8106d04189a9765d0e125d5d504e30c2c1bc3223a8d9d3ee897af82846b96

Analysis

max time kernel
68s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re Order 4500324718-CIMELECT.jar
Size

694KB
MD5

7c5d4887188330ff9c6eb853f2e58847
SHA1

91fdfe9ee9bc580ec2440f7485f71e3d34d4c883
SHA256

ead8106d04189a9765d0e125d5d504e30c2c1bc3223a8d9d3ee897af82846b96
SHA512

7b907daaf146bbc06657d33f7a7b5e0254615c080de46ebabb16fea282b0cea67dcb164c0a42a489fbcd7ca70624aef19d58ddc2ae36571867225f936c01f12f

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

franmhort.duia.ro:8153

Mutex

Mutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
win.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\AsyncClient.exe	asyncrat
behavioral2/memory/4612-159-0x0000000002540000-0x0000000003540000-memory.dmp	asyncrat
behavioral2/memory/1904-171-0x0000000002DC0000-0x0000000003DC0000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\AsyncClient.exe	asyncrat
behavioral2/memory/4612-179-0x0000000002540000-0x0000000003540000-memory.dmp	asyncrat
behavioral2/memory/1940-187-0x00000000005B0000-0x00000000005C2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

AsyncClient.exe

pid process

1940 AsyncClient.exe

pid	process
1940	AsyncClient.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

java.exewscript.exeWScript.exejavaw.exe

description	pid	process	target process
PID 432 wrote to memory of 724	432	java.exe	wscript.exe
PID 432 wrote to memory of 724	432	java.exe	wscript.exe
PID 724 wrote to memory of 2372	724	wscript.exe	WScript.exe
PID 724 wrote to memory of 2372	724	wscript.exe	WScript.exe
PID 724 wrote to memory of 4612	724	wscript.exe	javaw.exe
PID 724 wrote to memory of 4612	724	wscript.exe	javaw.exe
PID 2372 wrote to memory of 1940	2372	WScript.exe	AsyncClient.exe
PID 2372 wrote to memory of 1940	2372	WScript.exe	AsyncClient.exe
PID 2372 wrote to memory of 1940	2372	WScript.exe	AsyncClient.exe
PID 4612 wrote to memory of 1904	4612	javaw.exe	java.exe
PID 4612 wrote to memory of 1904	4612	javaw.exe	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\slrtghxwgp.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Roaming\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\AsyncClient.exe"
4⤵
- Executes dropped EXE
PID:1940

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dnleucksc.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.290859765782728656590665891713163959.class
4⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
b067d3b4b88e590af0a571228c92e368

SHA1
85a1bec97f1f0daf07c1df6d6a1ea3831d762e17

SHA256
dfcb365a98000b9930a48e85ef88c84260f08da26e871a62130219413bb89295

SHA512
2c0e10ecb587fba9190e3797394488ecfd59dac232fe53bb8029d778253afff5f52c97c9344e9769f897f5165e471dab775e5c6d703becb73824d2a9da1ddfbf

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
20dee59a456915e21a0ceebb51b885ff

SHA1
2cb483863aed450218eb9e4d3877dfcc30879afb

SHA256
45808bf832e871d2d60a53925576ad4997d148f9c6f46f87322d9f3c8094d9df

SHA512
0770c20a4d1c8df4aacaa784834607fd239df4c8f2f23c2b0c9457c737e1cc2197f38d78d4264ab485d38bcd6f68fd840effd6a213c174a65102242cae329061

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.290859765782728656590665891713163959.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\AsyncClient.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\AsyncClient.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\dnleucksc.txt
Filesize
479KB

MD5
e6e49d6575a99dc7eaf81091e02190b6

SHA1
d7abf421d1a9d080d89b2922003a0d869d64ac2c

SHA256
3df792e3ab0c1efd66231647b0369e5805d359403d5b534a2562a7ba301b0757

SHA512
98743a430ab0490aed350a800d057dbaf7b29d2ce9833ca7cefc3e52a18dc5918c315918f64b193ca6d42f0250f7d93f001606689852de3f56182de42e0a7d3f

Download Submit
C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js
Filesize
88KB

MD5
63649fb5e85e7f8c93a1ad99a27b7b22

SHA1
ae8e7a2215151a271d983e52ba8a56a77ae6baed

SHA256
e5d86ad0a6d4aaf17667fc846727326d86608c9cbee572b6aef70c92b028d86d

SHA512
7bd802d530f5b752a8b9ec2e0e45ade04b70d0edf29b007852682e25cc3a63531fde3d2c57e03d5fb8478caeff823b028d9bd83ef693876d5f803868428d5f3a

Download Submit
C:\Users\Admin\slrtghxwgp.js
Filesize
1.0MB

MD5
a0feff107f173acc9b411620b16cfddf

SHA1
b7b5985ad225aef80e1e0e08297330f2257f7f59

SHA256
100de96a9a0778b9d66d919de429cecb7ee54c4e3ddce9911d40a0ded003d185

SHA512
99d7ca04f65e2cadd0678166a5b1c07e476873bd43c90290982731e3657bd43a4ddcfb57a1317381529eb50dd1dadd7e87273006f4179e43b4a3251184ed7000

Download Submit
memory/432-132-0x0000000002D40000-0x0000000003D40000-memory.dmp

Filesize
16.0MB

Download
memory/724-140-0x0000000000000000-mapping.dmp

Download
memory/1904-160-0x0000000000000000-mapping.dmp

Download
memory/1904-171-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1904-181-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1904-188-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1940-157-0x0000000000000000-mapping.dmp

Download
memory/1940-187-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2372-143-0x0000000000000000-mapping.dmp

Download
memory/4612-159-0x0000000002540000-0x0000000003540000-memory.dmp

Filesize
16.0MB

Download
memory/4612-145-0x0000000000000000-mapping.dmp

Download
memory/4612-179-0x0000000002540000-0x0000000003540000-memory.dmp

Filesize
16.0MB

Download
memory/4612-180-0x0000000002540000-0x0000000003540000-memory.dmp

Filesize
16.0MB

Download
memory/4612-182-0x0000000002540000-0x0000000003540000-memory.dmp

Filesize
16.0MB

Download
memory/4612-190-0x0000000002540000-0x0000000003540000-memory.dmp

Filesize
16.0MB

Download