asyncrat | a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d

General

Target

a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d.js
Size

8KB
MD5

8bc951c9580b40a1b7c6222613b97da4
SHA1

ffeed34cea7de42eb7b1262113ef3c753ae121c0
SHA256

a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d
SHA512

5b07d8c2ed5c1a6ea604dfac05a598756e5fa2dfe3db5d3e4219e3752bad176a1b5b8f1f29c7b44513e0939e16ee4d8388c31e6fd232e262a28fbfbf04023bc8
SSDEEP

48:1PueRvRbecveUMW9gdueHhUfJawYYueihb+EKpOFwSmvkuess9vGbFKpbbyh:Zz5FMYoBnmaLKpD+mZ

Score

10^/10

asyncrat execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 32 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1972-32-0x0000000003170000-0x0000000003196000-memory.dmp	family_asyncrat
behavioral2/memory/1972-94-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-82-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-80-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-78-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-76-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-74-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-72-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-70-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-69-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-66-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-64-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-62-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-60-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-58-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-56-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-52-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-50-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-46-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-44-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-40-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-38-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-36-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-35-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-92-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-90-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-88-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-86-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-84-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-54-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-48-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat
behavioral2/memory/1972-42-0x0000000003170000-0x0000000003190000-memory.dmp	family_asyncrat

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1736-18-0x0000000000470000-0x0000000000526000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

4 4760 wscript.exe
7 4760 wscript.exe
9 4760 wscript.exe
Downloads MZ/PE file

flow	pid	process
4	4760	wscript.exe
7	4760	wscript.exe
9	4760	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeSGUDBQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	SGUDBQ.exe

Executes dropped EXE 5 IoCs

Processes:

SGUDBQ.exeSGUDBQ.exeSGUDBQ.exeaudio.exeaudio.exe

pid process

1736 SGUDBQ.exe
1648 SGUDBQ.exe
1972 SGUDBQ.exe
4216 audio.exe
2392 audio.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SGUDBQ.exeaudio.exe

description	pid	process	target process
PID 1736 set thread context of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 4216 set thread context of 2392	4216	audio.exe	audio.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1916 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3596 timeout.exe

pid	process
1916	schtasks.exe

pid	process
3596	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

SGUDBQ.exeSGUDBQ.exe

pid	process
1736	SGUDBQ.exe
1736	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe
1972	SGUDBQ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SGUDBQ.exeSGUDBQ.exeaudio.exe

description pid process

Token: SeDebugPrivilege 1736 SGUDBQ.exe
Token: SeDebugPrivilege 1972 SGUDBQ.exe
Token: SeDebugPrivilege 2392 audio.exe

description	pid	process
Token: SeDebugPrivilege	1736	SGUDBQ.exe
Token: SeDebugPrivilege	1972	SGUDBQ.exe
Token: SeDebugPrivilege	2392	audio.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

wscript.exeSGUDBQ.exeSGUDBQ.execmd.execmd.exeaudio.exe

description	pid	process	target process
PID 4760 wrote to memory of 1736	4760	wscript.exe	SGUDBQ.exe
PID 4760 wrote to memory of 1736	4760	wscript.exe	SGUDBQ.exe
PID 4760 wrote to memory of 1736	4760	wscript.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1648	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1648	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1648	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1736 wrote to memory of 1972	1736	SGUDBQ.exe	SGUDBQ.exe
PID 1972 wrote to memory of 2804	1972	SGUDBQ.exe	cmd.exe
PID 1972 wrote to memory of 2804	1972	SGUDBQ.exe	cmd.exe
PID 1972 wrote to memory of 2804	1972	SGUDBQ.exe	cmd.exe
PID 1972 wrote to memory of 3032	1972	SGUDBQ.exe	cmd.exe
PID 1972 wrote to memory of 3032	1972	SGUDBQ.exe	cmd.exe
PID 1972 wrote to memory of 3032	1972	SGUDBQ.exe	cmd.exe
PID 2804 wrote to memory of 1916	2804	cmd.exe	schtasks.exe
PID 2804 wrote to memory of 1916	2804	cmd.exe	schtasks.exe
PID 2804 wrote to memory of 1916	2804	cmd.exe	schtasks.exe
PID 3032 wrote to memory of 3596	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 3596	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 3596	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 4216	3032	cmd.exe	audio.exe
PID 3032 wrote to memory of 4216	3032	cmd.exe	audio.exe
PID 3032 wrote to memory of 4216	3032	cmd.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe
PID 4216 wrote to memory of 2392	4216	audio.exe	audio.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
3⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'
5⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp513D.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:3596

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
Filesize
696KB

MD5
f672108901b809c33d38bb6801c9b273

SHA1
b5d45949ba7d38b92c20d31cfcae6d437dea8c18

SHA256
90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f

SHA512
6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp513D.tmp.bat
Filesize
152B

MD5
63ee96e6a3805f90a2015681d63ebb72

SHA1
6c1a79e49c01fe253c06fd2bf9ddc49c6e9e26e7

SHA256
39084130295ff8f98f7c1587be96ab3ad6cdea72639551f043a7cc42907de2bf

SHA512
622e1b8e0d5716caac0fe8568e6376359453e147c36568c227b8fee2dc4dce9616420a3f5d95dc58f528b62ec10da14605f6332242713fffa6b97195a85e61a8

Download Submit
memory/1736-17-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1736-18-0x0000000000470000-0x0000000000526000-memory.dmp

Filesize
728KB

Download
memory/1736-19-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/1736-20-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/1736-21-0x0000000004E80000-0x0000000004E94000-memory.dmp

Filesize
80KB

Download
memory/1736-22-0x0000000004EA0000-0x0000000004EA8000-memory.dmp

Filesize
32KB

Download
memory/1736-28-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1736-680-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1736-679-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1972-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1972-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1972-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1972-30-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/1972-31-0x0000000002F70000-0x0000000002F98000-memory.dmp

Filesize
160KB

Download
memory/1972-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1972-32-0x0000000003170000-0x0000000003196000-memory.dmp

Filesize
152KB

Download
memory/1972-33-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1972-34-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1972-94-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-272-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1972-82-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-80-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-78-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-76-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-74-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-72-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-70-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-69-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-66-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-64-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-62-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-60-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-58-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-56-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-52-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-50-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-46-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-44-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-40-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-38-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-36-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-35-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-92-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-90-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-88-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-86-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-84-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-54-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-48-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-42-0x0000000003170000-0x0000000003190000-memory.dmp

Filesize
128KB

Download
memory/1972-350-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1972-351-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/1972-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1972-357-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

pid	process
1736	SGUDBQ.exe
1648	SGUDBQ.exe
1972	SGUDBQ.exe
4216	audio.exe
2392	audio.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads