asyncrat | 6a4bde618c5f4a8d087364e26be121e332f35f947baf55ba4c02a4f796cceda9

General

Target

x.png.ps1
Size

243KB
MD5

fb15d35b386dd9f9cadfbd8dff55b7d6
SHA1

1663084c6fb2404fa0be3f3ae1170589f6df8ff2
SHA256

6a4bde618c5f4a8d087364e26be121e332f35f947baf55ba4c02a4f796cceda9
SHA512

f40c26fb227e4fcba639a92cda956c4693601ba766723b025b8718d9c2bfc49c3221217a2f133ad8df7dac5405045219270e7b163a228c4def0470e790d0ef60
SSDEEP

1536:h3aRvIDi0gcXRI65uSiNdnYJCmLEmg7Tvve0pAGFBQDp/QI+OcD/55j9VyAGuELw:uC6S/QI+Ocvj6cmGfl+owmGcAg3Ap6

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

boxtest.publicvm.com:6666

Mutex

AsyncMutex_af

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4832-150-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral2/memory/4832-151-0x0000000000410A7E-mapping.dmp	asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4660 set thread context of 4832	4660	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2004	schtasks.exe
4516	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2912	powershell.exe
2912	powershell.exe
3644	powershell.exe
3644	powershell.exe
4660	powershell.exe
4660	powershell.exe
4832	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4832	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3612	2912	powershell.exe	85
PID 2912 wrote to memory of 3612	2912	powershell.exe	85
PID 3612 wrote to memory of 3644	3612	WScript.exe	86
PID 3612 wrote to memory of 3644	3612	WScript.exe	86
PID 3644 wrote to memory of 2004	3644	powershell.exe	89
PID 3644 wrote to memory of 2004	3644	powershell.exe	89
PID 3644 wrote to memory of 4516	3644	powershell.exe	90
PID 3644 wrote to memory of 4516	3644	powershell.exe	90
PID 3252 wrote to memory of 4660	3252	WScript.exe	95
PID 3252 wrote to memory of 4660	3252	WScript.exe	95
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4832	4660	powershell.exe	97
PID 4660 wrote to memory of 4608	4660	powershell.exe	98
PID 4660 wrote to memory of 4608	4660	powershell.exe	98

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.png.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Logs\install.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\install.ps1'))
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
      4⤵
      Creates scheduled task(s)
      PID:2004
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
      4⤵
      Creates scheduled task(s)
      PID:4516

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\Report.ps1'))
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4832
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn det /f
    3⤵
    PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d096831023867930e62e6d8b3d4d8ca6

SHA1
404a1e73dc1590f1c8b9327c396591567dac7365

SHA256
167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

SHA512
31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs

Filesize
1KB

MD5
7a1f08fd27f797b5a5cc2d79f8f6bba7

SHA1
bd63d22c44ed12788a81cbc06b7c2bb91e0c338c

SHA256
922dc773abdfd0812b0e1adcaabf9dea2e5f0264573266cf0b024feb984c632e

SHA512
306649a84b7c57acb67d5baca1f288e9211028a19a2d9a2a331db59026d3c557a225eaaa4b325df9bc1bdf1cef2d823b1eadffaa40b6f1cf1d19ce5bfd77d449

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\Report.ps1

Filesize
237KB

MD5
fd56cfb773ed36a607597a291e24f370

SHA1
9b8d738537324f0a09f1e7188437dad110529161

SHA256
50e526a492cfc17e2a015e365c904128a25a6b4c5d7afd81edc69d9f22a09768

SHA512
8cd57fefd666548cf56fb8c18f4ca951ea4ba3773f3fd34f880a2128a7cd331aa4dfd0fc90e23c34adf889061af7f2ccd28e6138100fce6b4c7ec13b102219d9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\install.ps1

Filesize
237B

MD5
6bdb23dd1842efaa701ced26bb8ae3a5

SHA1
67938eee711bca4d76581ad4ce157d1f197c97f8

SHA256
4e0c891ba520fc17f612e1d65b0549aea0533070237b7bc27ee36613e212429c

SHA512
16b5044b13b3c172f50c0dbfb11544750385c92144e1a2fe7dc3a3d18b361d722c72668eb11fcccecdc7dc4858f22383432515f7c9f3a353b04e52d3c4622c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\install.vbs

Filesize
2KB

MD5
e35d96b22a7a748d8a85089ea37b003e

SHA1
6b91c72388ed718c5ea75d1bd31263c8cb466878

SHA256
06b9130d3e031c4729ad96332ed15189d5391b88f81c5bbb0f3a94ac4a05185a

SHA512
f45a67d4dc0338ba62cfd6413f7d02889a186b8893397f32df3c88dec903fd79c849ea38538aefead378db1ea2071a0a3b921d7f9fa35729ea71371c7a3d6809

Download Submit
memory/2912-132-0x00000191F0850000-0x00000191F0872000-memory.dmp

Filesize
136KB

Download
memory/2912-133-0x00007FFF4BFF0000-0x00007FFF4CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-136-0x00007FFF4BFF0000-0x00007FFF4CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-144-0x00007FFF4BFF0000-0x00007FFF4CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-143-0x00007FFF4BFF0000-0x00007FFF4CAB1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-149-0x00007FFF4B8E0000-0x00007FFF4C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-153-0x00007FFF4B8E0000-0x00007FFF4C3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4832-150-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4832-154-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4832-155-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4832-156-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/4832-157-0x0000000006470000-0x000000000650C000-memory.dmp

Filesize
624KB

Download
memory/4832-158-0x00000000063D0000-0x0000000006436000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads