asyncrat | df3d882332ccedd588c8bd095b4693cffb9d1a3b8359e6f005e16a9ebdce16aa

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/05/2023, 11:29

Target

B.ps1
Size

262KB
MD5

d3efb9110f676b9c6990ac8ce21af0d8
SHA1

6afc4f91405cadfa67694b475df3f36d903283f0
SHA256

df3d882332ccedd588c8bd095b4693cffb9d1a3b8359e6f005e16a9ebdce16aa
SHA512

329c113d57243ec5d6bfc69abf52ac1859e0307b81838cc6430e06bcf7ff75d4d5ecb3082b6d3ca891eb64988f8ac3fb1f8f952ba44399902f14a9af1fed5722
SSDEEP

1536:sz5LkCs68+OHLBdLb3YE4ZeLXxMxgswiYD:v

Score

10^/10

asyncrat coffee rat

Family

asyncrat

Version

0.5.7B

Botnet

COFFEE

1bxb.ddns.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes.plain

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/784-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/784-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/784-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/784-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/784-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 784	2040	powershell.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29
PID 2040 wrote to memory of 784	2040	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:784

memory/784-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-74-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/784-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/784-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2040-58-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2040-59-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2040-62-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/2040-61-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2040-73-0x00000000025AB000-0x00000000025E2000-memory.dmp

Filesize
220KB

Download
memory/2040-60-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download