asyncrat | 146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84

General

Target

Confirmation transfer MT103 copy Ref010102562.js
Size

93KB
MD5

bf0318f06d90661b7e6a8a4465cef37c
SHA1

848359829b1969522d00a72119d3a2d59ac891f2
SHA256

146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
SHA512

0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
SSDEEP

1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/

Score

10^/10

asyncrat vjw0rm default rat trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh02.ddns.net:2245

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe	asyncrat
behavioral1/memory/2028-61-0x0000000000D00000-0x0000000000D12000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat
\Users\Admin\AppData\Roaming\logs.exe	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat
behavioral1/memory/1768-72-0x0000000000A10000-0x0000000000A22000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

4 1200 wscript.exe
7 1200 wscript.exe
12 1200 wscript.exe
15 1200 wscript.exe
18 1200 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

AsyncClient02.exelogs.exe

pid process

2028 AsyncClient02.exe
1768 logs.exe

flow	pid	process
4	1200	wscript.exe
7	1200	wscript.exe
12	1200	wscript.exe
15	1200	wscript.exe
18	1200	wscript.exe

pid	process
2028	AsyncClient02.exe
1768	logs.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js	wscript.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1180 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1444 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AsyncClient02.exe

pid process

2028 AsyncClient02.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AsyncClient02.exelogs.exe

description pid process

Token: SeDebugPrivilege 2028 AsyncClient02.exe
Token: SeDebugPrivilege 1768 logs.exe

pid	process
1180	cmd.exe

pid	process
1016	schtasks.exe

pid	process
1444	timeout.exe

pid	process
2028	AsyncClient02.exe

description	pid	process
Token: SeDebugPrivilege	2028	AsyncClient02.exe
Token: SeDebugPrivilege	1768	logs.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

wscript.exeAsyncClient02.execmd.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 1200	780	wscript.exe	wscript.exe
PID 780 wrote to memory of 1200	780	wscript.exe	wscript.exe
PID 780 wrote to memory of 1200	780	wscript.exe	wscript.exe
PID 780 wrote to memory of 2028	780	wscript.exe	AsyncClient02.exe
PID 780 wrote to memory of 2028	780	wscript.exe	AsyncClient02.exe
PID 780 wrote to memory of 2028	780	wscript.exe	AsyncClient02.exe
PID 780 wrote to memory of 2028	780	wscript.exe	AsyncClient02.exe
PID 2028 wrote to memory of 656	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 656	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 656	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 656	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 1180	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 1180	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 1180	2028	AsyncClient02.exe	cmd.exe
PID 2028 wrote to memory of 1180	2028	AsyncClient02.exe	cmd.exe
PID 656 wrote to memory of 1016	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 1016	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 1016	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 1016	656	cmd.exe	schtasks.exe
PID 1180 wrote to memory of 1444	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1444	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1444	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1444	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1768	1180	cmd.exe	logs.exe
PID 1180 wrote to memory of 1768	1180	cmd.exe	logs.exe
PID 1180 wrote to memory of 1768	1180	cmd.exe	logs.exe
PID 1180 wrote to memory of 1768	1180	cmd.exe	logs.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1200

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
4⤵
- Creates scheduled task(s)
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1444

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.bat
Filesize
147B

MD5
1e57cae89aaa7b9c0c2716041b87f6b8

SHA1
8e9d8428af46cfcdb1f3ef30c4fcc0666cdea17a

SHA256
0ffec833ed67bc05ec7a298cab97fbed7b575f2e82e40b29be72dc74fa1d2b99

SHA512
6b5a26c7968781a4fcdaeab50a64e0dd50ca57202858b7c014aa497dd709ce59e77d390458f301542a94b715ca52a37e26446fecd214a91b43d88b2d93259b9e

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js
Filesize
5KB

MD5
91e16cc28847b49a31fa84f5bb95d3e0

SHA1
31cbfcc259966c020e0a6af48fe7ab3f1ed8746b

SHA256
068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19

SHA512
f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b

Download Submit
\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
memory/656-63-0x0000000000000000-mapping.dmp

Download
memory/780-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1016-66-0x0000000000000000-mapping.dmp

Download
memory/1180-64-0x0000000000000000-mapping.dmp

Download
memory/1200-55-0x0000000000000000-mapping.dmp

Download
memory/1444-67-0x0000000000000000-mapping.dmp

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1768-72-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2028-62-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2028-61-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads