asyncrat | 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66

General

Target

ORDER-24603909AF.js
Size

8KB
MD5

8bc951c9580b40a1b7c6222613b97da4
SHA1

ffeed34cea7de42eb7b1262113ef3c753ae121c0
SHA256

a47fb3147b531316317dd8150333f7417f6fe196f0ef8656babb070e37d9cc0d
SHA512

5b07d8c2ed5c1a6ea604dfac05a598756e5fa2dfe3db5d3e4219e3752bad176a1b5b8f1f29c7b44513e0939e16ee4d8388c31e6fd232e262a28fbfbf04023bc8
SSDEEP

48:1PueRvRbecveUMW9gdueHhUfJawYYueihb+EKpOFwSmvkuess9vGbFKpbbyh:Zz5FMYoBnmaLKpD+mZ

Score

10^/10

asyncrat execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 32 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2388-49-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-82-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-55-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-94-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-92-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-90-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-88-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-86-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-84-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-80-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-78-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-76-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-74-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-72-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-70-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-68-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-66-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-64-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-62-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-60-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-57-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-53-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-51-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-47-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-45-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-44-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-41-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-39-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-37-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-35-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-34-0x0000000002AD0000-0x0000000002AF0000-memory.dmp	family_asyncrat
behavioral2/memory/2388-32-0x0000000002AD0000-0x0000000002AF6000-memory.dmp	family_asyncrat

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/4360-18-0x0000000000800000-0x00000000008B6000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Blocklisted process makes network request 3 IoCs

Processes:

wscript.exe

flow pid process

4 4252 wscript.exe
7 4252 wscript.exe
9 4252 wscript.exe
Downloads MZ/PE file

flow	pid	process
4	4252	wscript.exe
7	4252	wscript.exe
9	4252	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeSGUDBQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SGUDBQ.exe

Executes dropped EXE 4 IoCs

Processes:

SGUDBQ.exeSGUDBQ.exeaudio.exeaudio.exe

pid process

4360 SGUDBQ.exe
2388 SGUDBQ.exe
3636 audio.exe
2772 audio.exe

pid	process
4360	SGUDBQ.exe
2388	SGUDBQ.exe
3636	audio.exe
2772	audio.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SGUDBQ.exeaudio.exe

description	pid	process	target process
PID 4360 set thread context of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 3636 set thread context of 2772	3636	audio.exe	audio.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2132 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2328 timeout.exe

pid	process
2132	schtasks.exe

pid	process
2328	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

SGUDBQ.exe

pid	process
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe
2388	SGUDBQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SGUDBQ.exeaudio.exe

description pid process

Token: SeDebugPrivilege 2388 SGUDBQ.exe
Token: SeDebugPrivilege 2772 audio.exe

description	pid	process
Token: SeDebugPrivilege	2388	SGUDBQ.exe
Token: SeDebugPrivilege	2772	audio.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

wscript.exeSGUDBQ.exeSGUDBQ.execmd.execmd.exeaudio.exe

description	pid	process	target process
PID 4252 wrote to memory of 4360	4252	wscript.exe	SGUDBQ.exe
PID 4252 wrote to memory of 4360	4252	wscript.exe	SGUDBQ.exe
PID 4252 wrote to memory of 4360	4252	wscript.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 4360 wrote to memory of 2388	4360	SGUDBQ.exe	SGUDBQ.exe
PID 2388 wrote to memory of 4068	2388	SGUDBQ.exe	cmd.exe
PID 2388 wrote to memory of 4068	2388	SGUDBQ.exe	cmd.exe
PID 2388 wrote to memory of 4068	2388	SGUDBQ.exe	cmd.exe
PID 2388 wrote to memory of 4444	2388	SGUDBQ.exe	cmd.exe
PID 2388 wrote to memory of 4444	2388	SGUDBQ.exe	cmd.exe
PID 2388 wrote to memory of 4444	2388	SGUDBQ.exe	cmd.exe
PID 4068 wrote to memory of 2132	4068	cmd.exe	schtasks.exe
PID 4068 wrote to memory of 2132	4068	cmd.exe	schtasks.exe
PID 4068 wrote to memory of 2132	4068	cmd.exe	schtasks.exe
PID 4444 wrote to memory of 2328	4444	cmd.exe	timeout.exe
PID 4444 wrote to memory of 2328	4444	cmd.exe	timeout.exe
PID 4444 wrote to memory of 2328	4444	cmd.exe	timeout.exe
PID 4444 wrote to memory of 3636	4444	cmd.exe	audio.exe
PID 4444 wrote to memory of 3636	4444	cmd.exe	audio.exe
PID 4444 wrote to memory of 3636	4444	cmd.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe
PID 3636 wrote to memory of 2772	3636	audio.exe	audio.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'
5⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2328

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\audio.exe
"C:\Users\Admin\AppData\Local\Temp\audio.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
Filesize
696KB

MD5
f672108901b809c33d38bb6801c9b273

SHA1
b5d45949ba7d38b92c20d31cfcae6d437dea8c18

SHA256
90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f

SHA512
6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat
Filesize
152B

MD5
270a7aebcf360b448ffbdc7526687c27

SHA1
3e120a6a1f6e2c0e0ffab247953f15dfe6c47d83

SHA256
ca8c64079d120176f6357aaf6c8a618f5c21b26aa30c15bb887b9d913b8db996

SHA512
1ec04ea9f722e839ae6fd7be4f3a95e967de759239a6520f576ede044d3b8e50060812b3f304fbc11abf96d151d9d0222af12a89b2d8a519b9abccbe2f189eca

Download Submit
memory/2388-60-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-355-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-30-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2388-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-49-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-82-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-55-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-94-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-92-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-90-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-88-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-86-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-84-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-80-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-78-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-76-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-74-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-72-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-70-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-68-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-66-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-64-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-62-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-29-0x0000000002740000-0x0000000002768000-memory.dmp

Filesize
160KB

Download
memory/2388-31-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2388-356-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2388-51-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-47-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-45-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-44-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-41-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-39-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-37-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-35-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-58-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2388-34-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-32-0x0000000002AD0000-0x0000000002AF6000-memory.dmp

Filesize
152KB

Download
memory/2388-33-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2388-57-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/2388-350-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/2388-349-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2388-53-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

Filesize
128KB

Download
memory/4360-27-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4360-21-0x0000000005210000-0x0000000005224000-memory.dmp

Filesize
80KB

Download
memory/4360-20-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/4360-19-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/4360-18-0x0000000000800000-0x00000000008B6000-memory.dmp

Filesize
728KB

Download
memory/4360-22-0x00000000052A0000-0x00000000052A8000-memory.dmp

Filesize
32KB

Download
memory/4360-17-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/4360-678-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4360-679-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads