asyncrat | ac1bdd0a6805d540ab7f6c1b97a13e75481cf6f34fc29fedec7fdae985c84f84

General

Target

huh.ps1
Size

219KB
MD5

06cd7dd672ef084e0e1d0e6d1471c88d
SHA1

4b182af0059034ddbcb326ebfec289b1ad088850
SHA256

ac1bdd0a6805d540ab7f6c1b97a13e75481cf6f34fc29fedec7fdae985c84f84
SHA512

82d02f7ae24bdef61dc2cc1f890c904a5c611bb65b0196219212387f03ccb22c3c6f5122ecf2586c67504485b8bbf0553121b5a5f43b76e13f78d383a569f160
SSDEEP

3072:RsF+Uv1vZCUC+QI+O2MjuiWd9e/uGUowmGcAb3Apc9R:mFu+QI+pMju/99owmGcAb3Ap4

Score

10^/10

asyncrat oso_neew rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

OsO_Neew

C2

osostata.com:7777

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1780-172-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 1780	4120	powershell.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4656	powershell.exe
4656	powershell.exe
4120	powershell.exe
4120	powershell.exe
1780	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1780	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1780	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2860	4656	powershell.exe	85
PID 4656 wrote to memory of 2860	4656	powershell.exe	85
PID 2792 wrote to memory of 4796	2792	WScript.exe	95
PID 2792 wrote to memory of 4796	2792	WScript.exe	95
PID 4796 wrote to memory of 4176	4796	cmd.exe	97
PID 4796 wrote to memory of 4176	4796	cmd.exe	97
PID 4176 wrote to memory of 4120	4176	cmd.exe	98
PID 4176 wrote to memory of 4120	4176	cmd.exe	98
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99
PID 4120 wrote to memory of 1780	4120	powershell.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\huh.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn kjgn /tr C:\ProgramData\kjgn\kjgn.vbs
  2⤵
  - Creates scheduled task(s)
  PID:2860

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\kjgn\kjgn.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\kjgn\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\cmd.exe
    CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\kjgn\jiuo.ps1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\kjgn\jiuo.ps1"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kjgn\1.bat

Filesize
87B

MD5
e012a0370cc4abdf16e5158bb916a637

SHA1
8021bc976254493472c0c80ecb01e6d65bda3c0c

SHA256
ba174d5443d74ce5a1bc67831e3122d967e90862188c0cc878fb5153c13b6ecb

SHA512
defd506a51fc3e0561ce2891b7620590536e987007a8085c79876b3de5a54e66c44b9ea841d50aa0d133594425a11bc1ab8f3ba7d1779135c5fe62d2dcbf4b89

Download Submit
C:\ProgramData\kjgn\jiuo.ps1

Filesize
218KB

MD5
b06f966bcdfbac5a696cc56374f678c1

SHA1
490b1d213d3ac57baa7d0735167ac0717f511df2

SHA256
e86f378a4048637f351b71aebe074f2c85724e620584bd0b38ad7aa264f103b9

SHA512
4121ef77be3448e9317d5d965ac4fa6840c4ae2a571f082a88337fa631eb7033861a8d01f3f9763a9bc0fa2065b6498eb2f4b6914ea0ea6f1f3eca2f124a2d34

Download Submit
C:\ProgramData\kjgn\kjgn.vbs

Filesize
123B

MD5
9b393c895a13532f73ab61c223d29da9

SHA1
a645150ed31a57b4995eb9f167adc3a734f7b8bd

SHA256
f69b93e320d4088178547122b78d223b4f4d4e93fc94a0af5c788b0cb1015f7b

SHA512
d707d925c508b5d9ec6bfa4538e306eb1fd1079fe8c673fd67bbb1949517920808e7bf403818cf98c46ecce224904a88f5de42aa4feeb30b212c05113e555d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
125a95fa1b56f62f7a206cb157cb0eda

SHA1
e7b35f31668ca67d1c957efda8a68082ad07bafd

SHA256
518ee0be1514006ae867187f62aef67134886dc039f637f29d5b9b7b53c216d6

SHA512
9febf31f02a5b80ba3cef08c6801bc38202e4b881122eaed29a6b9882c7dc4f62e9415377262e8080f83c9017938397e6d0e6b5166997538ef42e44c5bbd6e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnpnw4je.0bk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1780-172-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1780-175-0x00000000060C0000-0x0000000006664000-memory.dmp

Filesize
5.6MB

Download
memory/1780-180-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1780-179-0x0000000006850000-0x00000000068B6000-memory.dmp

Filesize
408KB

Download
memory/1780-178-0x00000000067B0000-0x000000000684C000-memory.dmp

Filesize
624KB

Download
memory/1780-177-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

Filesize
40KB

Download
memory/1780-176-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/1780-174-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4120-169-0x00000275BA470000-0x00000275BA480000-memory.dmp

Filesize
64KB

Download
memory/4120-170-0x00000275BA470000-0x00000275BA480000-memory.dmp

Filesize
64KB

Download
memory/4120-171-0x00000275BA470000-0x00000275BA480000-memory.dmp

Filesize
64KB

Download
memory/4656-143-0x000002861A1E0000-0x000002861A1F0000-memory.dmp

Filesize
64KB

Download
memory/4656-138-0x0000028635F70000-0x0000028635F92000-memory.dmp

Filesize
136KB

Download
memory/4656-151-0x000002861A1E0000-0x000002861A1F0000-memory.dmp

Filesize
64KB

Download
memory/4656-144-0x000002861A1E0000-0x000002861A1F0000-memory.dmp

Filesize
64KB

Download
memory/4656-149-0x000002861A1E0000-0x000002861A1F0000-memory.dmp

Filesize
64KB

Download
memory/4656-150-0x000002861A1E0000-0x000002861A1F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads