asyncrat | 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66

General

Target

ORDER-24603909AF.js
Size

8KB
MD5

8bc951c9580b40a1b7c6222613b97da4
SHA1

ffeed34cea7de42eb7b1262113ef3c753ae121c0
SHA256

a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d
SHA512

5b07d8c2ed5c1a6ea604dfac05a598756e5fa2dfe3db5d3e4219e3752bad176a1b5b8f1f29c7b44513e0939e16ee4d8388c31e6fd232e262a28fbfbf04023bc8
SSDEEP

48:1PueRvRbecveUMW9gdueHhUfJawYYueihb+EKpOFwSmvkuess9vGbFKpbbyh:Zz5FMYoBnmaLKpD+mZ

Score

10^/10

asyncrat execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 29 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2400-39-0x0000000000330000-0x0000000000356000-memory.dmp	family_asyncrat
behavioral1/memory/2400-70-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-94-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-92-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-90-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-88-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-86-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-84-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-82-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-80-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-78-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-76-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-74-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-72-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-68-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-66-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-64-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-62-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-60-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-58-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-56-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-54-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-52-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-50-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-48-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-46-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-44-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-42-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat
behavioral1/memory/2400-41-0x0000000000330000-0x0000000000350000-memory.dmp	family_asyncrat

Detects executables packed with ConfuserEx Mod 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2584-20-0x0000000000C90000-0x0000000000D46000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2664-370-0x0000000000B20000-0x0000000000BD6000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

4 1936 wscript.exe
Downloads MZ/PE file
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2516 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1828 timeout.exe

flow	pid	process
4	1936	wscript.exe

pid	process
2516	schtasks.exe

pid	process
1828	timeout.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js
1⤵
- Blocklisted process makes network request
PID:1936

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
3⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit
4⤵
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'
5⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp24CF.tmp.bat""
4⤵
PID:2908

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:1828

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
5⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
6⤵
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
Filesize
696KB

MD5
f672108901b809c33d38bb6801c9b273

SHA1
b5d45949ba7d38b92c20d31cfcae6d437dea8c18

SHA256
90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f

SHA512
6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24CF.tmp.bat
Filesize
152B

MD5
23f474e404a298072777cd46249d97b6

SHA1
8e64cd61ff89b69f11a5b1e5f80080362f05494d

SHA256
60e3784f46bb06277343552c35867107cbfe460f5eb1c2f1ce216d15c3cf0f24

SHA512
464a204c03067721f31fa20c7652b0a87d2821acd334ac5abc1990db59fc4c2938db7e9378f443429b46a02818e6aaed7d5b4a46ebf838c53e2aca0f94f68665

Download Submit
memory/2400-52-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-70-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-38-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2400-48-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-50-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-92-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-90-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-88-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-86-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-84-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-82-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-80-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-78-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-76-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-74-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-72-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-68-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-66-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-64-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-62-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-60-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-58-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-56-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-54-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-39-0x0000000000330000-0x0000000000356000-memory.dmp

Filesize
152KB

Download
memory/2400-94-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-40-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-46-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-44-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-42-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-41-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/2400-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-355-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-364-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-37-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download
memory/2584-20-0x0000000000C90000-0x0000000000D46000-memory.dmp

Filesize
728KB

Download
memory/2584-19-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2584-21-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/2584-22-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2584-35-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-700-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-701-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2664-370-0x0000000000B20000-0x0000000000BD6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads