asyncrat | 6be765d9b3531f2c2df05dee6254a3154f0764e2d2ca175346b0e9e2027b4c12

General

Target

146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js
Size

93KB
MD5

bf0318f06d90661b7e6a8a4465cef37c
SHA1

848359829b1969522d00a72119d3a2d59ac891f2
SHA256

146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
SHA512

0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
SSDEEP

1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/

Score

10^/10

asyncrat vjw0rm default rat trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh02.ddns.net:2245

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe	asyncrat
behavioral1/memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

5 2232 wscript.exe
24 2232 wscript.exe
64 2232 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

AsyncClient02.exelogs.exe

pid process

4084 AsyncClient02.exe
1856 logs.exe

flow	pid	process
5	2232	wscript.exe
24	2232	wscript.exe
64	2232	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeAsyncClient02.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AsyncClient02.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4936 1476 WerFault.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1300 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5040 timeout.exe

pid	pid_target	process	target process
4936	1476	WerFault.exe

pid	process
1300	schtasks.exe

pid	process
5040	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

AsyncClient02.exe

pid	process
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe
4084	AsyncClient02.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AsyncClient02.exelogs.exe

description pid process

Token: SeDebugPrivilege 4084 AsyncClient02.exe
Token: SeDebugPrivilege 1856 logs.exe

description	pid	process
Token: SeDebugPrivilege	4084	AsyncClient02.exe
Token: SeDebugPrivilege	1856	logs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

wscript.exeAsyncClient02.execmd.execmd.exe

description	pid	process	target process
PID 4512 wrote to memory of 2232	4512	wscript.exe	wscript.exe
PID 4512 wrote to memory of 2232	4512	wscript.exe	wscript.exe
PID 4512 wrote to memory of 4084	4512	wscript.exe	AsyncClient02.exe
PID 4512 wrote to memory of 4084	4512	wscript.exe	AsyncClient02.exe
PID 4512 wrote to memory of 4084	4512	wscript.exe	AsyncClient02.exe
PID 4084 wrote to memory of 5016	4084	AsyncClient02.exe	cmd.exe
PID 4084 wrote to memory of 5016	4084	AsyncClient02.exe	cmd.exe
PID 4084 wrote to memory of 5016	4084	AsyncClient02.exe	cmd.exe
PID 4084 wrote to memory of 1472	4084	AsyncClient02.exe	cmd.exe
PID 4084 wrote to memory of 1472	4084	AsyncClient02.exe	cmd.exe
PID 4084 wrote to memory of 1472	4084	AsyncClient02.exe	cmd.exe
PID 5016 wrote to memory of 1300	5016	cmd.exe	schtasks.exe
PID 5016 wrote to memory of 1300	5016	cmd.exe	schtasks.exe
PID 5016 wrote to memory of 1300	5016	cmd.exe	schtasks.exe
PID 1472 wrote to memory of 5040	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 5040	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 5040	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 1856	1472	cmd.exe	logs.exe
PID 1472 wrote to memory of 1856	1472	cmd.exe	logs.exe
PID 1472 wrote to memory of 1856	1472	cmd.exe	logs.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2232

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
4⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5040

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1476 -ip 1476
1⤵
PID:4148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1476 -s 848
1⤵
- Program crash
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat
Filesize
148B

MD5
20f2b587ce94a65dd8e85fb394768c52

SHA1
fe6fbfc21360e11a78a54775c7cbe38da34eff99

SHA256
d199a8941dc08dc911cfebeec31d37b6dcb2292b2c1869a466ec7109a428d891

SHA512
48b84c1e71b76a03196814c5ec5e13acb5fcd3478389849016a430c6bfafa475218f677cd227adc9ca685364b51a181912934e5aaa4bc017eecf0792c2c07963

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js
Filesize
5KB

MD5
91e16cc28847b49a31fa84f5bb95d3e0

SHA1
31cbfcc259966c020e0a6af48fe7ab3f1ed8746b

SHA256
068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19

SHA512
f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b

Download Submit
memory/1300-142-0x0000000000000000-mapping.dmp

Download
memory/1472-140-0x0000000000000000-mapping.dmp

Download
memory/1856-144-0x0000000000000000-mapping.dmp

Download
memory/2232-132-0x0000000000000000-mapping.dmp

Download
memory/4084-134-0x0000000000000000-mapping.dmp

Download
memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/4084-138-0x0000000005B60000-0x0000000005BFC000-memory.dmp

Filesize
624KB

Download
memory/5016-139-0x0000000000000000-mapping.dmp

Download
memory/5040-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads