asyncrat | 4023a02e0c9b2fbc0f1c883c337653928de6ea07834ce0efd3de365be9ad0f50

Analysis

max time kernel
283s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4023a02e0c9b2fbc0f1c883c337653928de6ea07834ce0efd3de365be9ad0f50.js
Size

908KB
MD5

0f615e4a9d0e80813def9e1f2df43e8b
SHA1

55db1ee813628edb038008637b2e1cbb0002238b
SHA256

4023a02e0c9b2fbc0f1c883c337653928de6ea07834ce0efd3de365be9ad0f50
SHA512

8dab94c87abdaf7dc0e2565f869f361bca5b889959f23278b276016467d3648d78b02bccb1fdf76864f14efa9db339df4c827ad96362221ecf8a34979944db68
SSDEEP

6144:G9DHYDH+DuqQLzi5ZwwOueyPzjv868i0riTj0Ysv/mgXAi4SHsjoxi:GtHYDeDuDLzi5ZFeyPzj8Ysv/mgXAiIN

Score

10^/10

asyncrat vjw0rm default rat trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

185.246.220.208:6606

185.246.220.208:7707

185.246.220.208:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000022dce-135.dat	asyncrat
behavioral2/files/0x000a000000022dce-136.dat	asyncrat
behavioral2/memory/3328-137-0x0000000000230000-0x0000000000242000-memory.dmp	asyncrat

Blocklisted process makes network request 11 IoCs

flow	pid	Process
5	3180	wscript.exe
21	3180	wscript.exe
35	3180	wscript.exe
39	3180	wscript.exe
42	3180	wscript.exe
43	3180	wscript.exe
44	3180	wscript.exe
45	3180	wscript.exe
46	3180	wscript.exe
51	3180	wscript.exe
52	3180	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	Asyncraw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoSXCtfTpn.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MoSXCtfTpn.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3328	Asyncraw.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3180	1748	wscript.exe	81
PID 1748 wrote to memory of 3180	1748	wscript.exe	81
PID 1748 wrote to memory of 3328	1748	wscript.exe	82
PID 1748 wrote to memory of 3328	1748	wscript.exe	82
PID 1748 wrote to memory of 3328	1748	wscript.exe	82

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4023a02e0c9b2fbc0f1c883c337653928de6ea07834ce0efd3de365be9ad0f50.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\MoSXCtfTpn.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\Asyncraw.exe
  "C:\Users\Admin\AppData\Local\Temp\Asyncraw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Asyncraw.exe

Filesize
45KB

MD5
2f436433313468b315a98d4e7e75e8db

SHA1
f87adb8bf0d9a23ce2181ab91ba08357c042ae91

SHA256
a83f899ac4ef813e0930375678a00e0cfdf45b410b79771ce828fe1314a3e2a3

SHA512
7da062ec464490181d31d9e969c6873589bd39e3e71cd2739e424a1bf156842c2bc8d1236ffeeba927deaa8eee4f0b28e84e024d3340820b7ab8d466ed9d9cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asyncraw.exe

Filesize
45KB

MD5
2f436433313468b315a98d4e7e75e8db

SHA1
f87adb8bf0d9a23ce2181ab91ba08357c042ae91

SHA256
a83f899ac4ef813e0930375678a00e0cfdf45b410b79771ce828fe1314a3e2a3

SHA512
7da062ec464490181d31d9e969c6873589bd39e3e71cd2739e424a1bf156842c2bc8d1236ffeeba927deaa8eee4f0b28e84e024d3340820b7ab8d466ed9d9cb0

Download Submit
C:\Users\Admin\AppData\Roaming\MoSXCtfTpn.js

Filesize
299KB

MD5
8a2faac7270fe6ec4616924791f0a009

SHA1
a84e95cd6a3378b20630076d3e15c5142c105862

SHA256
9ec9fbe3f68c677418b32d3d11869ed633114931d98a6c4e66ad21794443faf0

SHA512
0d2c0cea7c91a615e1f23811fafa0c754af5ea908e07e14b88810a46941bd0496958580096798855d6dfd837bfc9ac8047bb300fdb3b494bed185324985efef5

Download Submit
memory/3328-137-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/3328-138-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/3328-139-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/3328-140-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download