asyncrat | 00eca3e9f1585ace0fc6923faad233b9b01b3f8da66cc59abbcc8fad4d3f35ad

General

Target

95ba552080033c4c4f8ee4ec1a216a60.vbs
Size

674KB
MD5

95ba552080033c4c4f8ee4ec1a216a60
SHA1

ae3fcbf804bdeff2d2121925468ea9c7f4e5d986
SHA256

00eca3e9f1585ace0fc6923faad233b9b01b3f8da66cc59abbcc8fad4d3f35ad
SHA512

1ff6e6a47888ab51c4903c977d4567f6f1cdf41e04f129013dda4cefca4a85e3ed949b8ac377b4e613e8afad7d2bda6558660cb2eda4854dfbbc0ee926f2ce8f
SSDEEP

384:obfnd8WP6VRB3u6RfXjM62GWT9CcjHjUJwv+6uhH/4be3EMuQVgo7ZxoP2Q9zZE/:obO

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

frankent2021.ddns.net:2455

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.vbs	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 2712	1980	MSBuild.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1980	2976	WScript.exe	28
PID 2976 wrote to memory of 1980	2976	WScript.exe	28
PID 2976 wrote to memory of 1980	2976	WScript.exe	28
PID 2976 wrote to memory of 1980	2976	WScript.exe	28
PID 1980 wrote to memory of 2728	1980	MSBuild.exe	30
PID 1980 wrote to memory of 2728	1980	MSBuild.exe	30
PID 1980 wrote to memory of 2728	1980	MSBuild.exe	30
PID 1980 wrote to memory of 2728	1980	MSBuild.exe	30
PID 2728 wrote to memory of 2888	2728	csc.exe	31
PID 2728 wrote to memory of 2888	2728	csc.exe	31
PID 2728 wrote to memory of 2888	2728	csc.exe	31
PID 2728 wrote to memory of 2888	2728	csc.exe	31
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32
PID 1980 wrote to memory of 2712	1980	MSBuild.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ba552080033c4c4f8ee4ec1a216a60.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Public\Avast.xml
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptbh4u4j\ptbh4u4j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F3E.tmp" "c:\Users\Admin\AppData\Local\Temp\ptbh4u4j\CSCC05F38608C514F19AAC57FDAB9651927.TMP"
      4⤵
      PID:2888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7F3E.tmp

Filesize
1KB

MD5
587738ba82edab6ba7a8af228b6e2129

SHA1
34ba0e449cac4d2a58942ad7167f869a428eb208

SHA256
38e84a9124813b6a12b55688bf76b2417508a387b248b4467700c4fcc256972d

SHA512
8669d3441d8a54cf7488357fb0d02d1ab49405fde8260fb419d13a66d01092d2612466599885cc6afcea401c947f79df091c1bbdb29211170d1c539bb35884cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptbh4u4j\ptbh4u4j.dll

Filesize
35KB

MD5
26f71b14db758a4e72a35eebd0194b9f

SHA1
22c3b6adeec00f89969eb57324a3e36c52dd8084

SHA256
a3944b8008835cee438e973ef44e5c64b25250140c092d6dd6ca3e584afeaad2

SHA512
075801f7bb8125b54ddc6da06de102761668691f52ba49353130fd61108018f6e4fc463fdc9d960454a13b6675c9800b238e4966c0a6b4ceebf0969f44b09b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptbh4u4j\ptbh4u4j.pdb

Filesize
13KB

MD5
0c6ed8736e8ad1223b234a40d541d6cc

SHA1
658c75f28e98ed1a9bd3220517c38b0052b0daa7

SHA256
d39eddfab27ab6a932f8daae74ff79f2b6c62d1faae92820d2a73ebb7dc34ac2

SHA512
dd96c40d37b49d3977ad5c48fa2187764094ad5eb535001eb4f4ebd350eda9852c3bd00324f1ae1b6231790560a937cdbe12a8e52c9a9f0f0e05b352bc9820bf

Download Submit
C:\Users\Public\Avast.xml

Filesize
107KB

MD5
818e9f315cc504223d35be6beffa6924

SHA1
ef03dc9eea969aaff4414df8d1c13860f2b05167

SHA256
1a29079f87db28bbf04fde9ce88749ded368b3dbf4317d6ea11904201c44be34

SHA512
687a025c8e98ee8cb8fbfb28b4da9f0bd60597d944b3dc4d0b9c5c3204858aa9f85472c70ae743f923ea5d2d3f2786831b40f130b5279d1a971bee93869df364

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptbh4u4j\CSCC05F38608C514F19AAC57FDAB9651927.TMP

Filesize
652B

MD5
3b2c075ad5a3a06f4398de997de9cc54

SHA1
1e8f17e6e568976f660f6eb8d330b08cd849840b

SHA256
af37f04541043a76d49a3fc8c1ebeeeb9b60e0eb0276b9901957823ade4689af

SHA512
9558af928b39ee00a44564d7ab0425b22834bad53986ab8671edcd1255362b35485144ea9dfa341c79960fff7e344cffa8c1da9964c6e9d5075202e2ab3cf0eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptbh4u4j\ptbh4u4j.0.cs

Filesize
106KB

MD5
a7c99d03e54108a5200845f6b328585f

SHA1
2fabc1d6ce1e3e161d8f7bb695848313bfb9e4df

SHA256
34ef806599ced48cf0b72c6b6b9b7db6570b51c847f76b2f4a63102e83ae8506

SHA512
135ef80f7b0979ba5b93e10acb26d01ce52bd9a7c7708306953c80309bcee921fe960d513fcc986853095fc69096947daa4a009f98a6d7f98311a4c1ea913bfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptbh4u4j\ptbh4u4j.cmdline

Filesize
660B

MD5
9725b28d5d7a0afa087958903f0bc2d1

SHA1
f0f9f4579a189448cb795eed8249c253fe39bbd5

SHA256
4ddfa08f602f5c3172db5307eaefd87e30e5943d602f40de92cdf9121837fbba

SHA512
f8da9772d4650ce0bf2af43fc71ca7c487fcb8d0017f398c2de7805cf05b094d818ae704a73d20922d0b082e6ab4743347d4fe1ed250848320fc10c615ba3426

Download Submit
memory/1980-8-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/1980-29-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1980-10-0x00000000052D0000-0x0000000005634000-memory.dmp

Filesize
3.4MB

Download
memory/1980-1-0x0000000001190000-0x00000000011D0000-memory.dmp

Filesize
256KB

Download
memory/1980-7-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1980-6-0x00000000052D0000-0x00000000053F2000-memory.dmp

Filesize
1.1MB

Download
memory/1980-5-0x0000000005050000-0x0000000005172000-memory.dmp

Filesize
1.1MB

Download
memory/1980-3-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1980-2-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-25-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1980-28-0x0000000004B80000-0x0000000004C1C000-memory.dmp

Filesize
624KB

Download
memory/1980-9-0x0000000005050000-0x00000000051CA000-memory.dmp

Filesize
1.5MB

Download
memory/1980-42-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2712-41-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-43-0x0000000074D60000-0x000000007544E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing