asyncrat | ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace

General

Target

2.ps1
Size

1002KB
MD5

53c4c7466cebb3357a4bf5fdde6e03bd
SHA1

3ae57e66c6651b2c35b873db5de86b87ccc969ad
SHA256

ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace
SHA512

aa7a49bde2e30748853b66c772d5bc72372699d52a0d4806d373e870eaa0488ba6ff7b92669e15c9b0180f4cfebd45e698a75b514512b6eddb338dfaf2d2a75e
SSDEEP

24576:TawjBUo3v/AOhx415r2X0Kin4clpSeuoZ+tF0USjpMmaXBxwP0oOGAlLRqkbx2yY:e

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

grogrogrogro.ddnsgeek.com:4444

Mutex

AsyncMutex_6SI8OWDAW

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
728	powershell.exe
348	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 728 set thread context of 2816	728	powershell.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
348	powershell.exe
348	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
2816	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	2816	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	RegSvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2076	1044	WScript.exe	92
PID 1044 wrote to memory of 2076	1044	WScript.exe	92
PID 2076 wrote to memory of 728	2076	cmd.exe	94
PID 2076 wrote to memory of 728	2076	cmd.exe	94
PID 728 wrote to memory of 2272	728	powershell.exe	95
PID 728 wrote to memory of 2272	728	powershell.exe	95
PID 728 wrote to memory of 2272	728	powershell.exe	95
PID 728 wrote to memory of 4516	728	powershell.exe	96
PID 728 wrote to memory of 4516	728	powershell.exe	96
PID 728 wrote to memory of 4516	728	powershell.exe	96
PID 728 wrote to memory of 2916	728	powershell.exe	97
PID 728 wrote to memory of 2916	728	powershell.exe	97
PID 728 wrote to memory of 2916	728	powershell.exe	97
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98
PID 728 wrote to memory of 2816	728	powershell.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\wingro8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e01d05f1a3c204a4b66f6503a154b4

SHA1
1f13df998e49ba099b8142117047ca78c7728826

SHA256
098383f853295ab4ca31292fc72f149c4d737544f973232a84f48ba060076610

SHA512
d4cf12cc636128328bca08bfefdb5cbd3d7e3fa0b9ab8de99734a9af67c18224146000e2a5b79ad3fcfbcef27290e93fcd8f9c0979c8dd95e47e123b479cbed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyg5lntl.kmq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\wingro8.bat

Filesize
204B

MD5
9ae3fd9aa024c8c635043f25e14e4582

SHA1
346bdf6d3fb90733b29e4b0679eed419d2337d8a

SHA256
08eb7706a9e1efa8a68e0174bc5d62fd48282ffafc561819c3bc87784a80e73f

SHA512
b4a87e683517cdfc1df43a08b238844bac0319be234ccfddb1ba0c55bc321d5f3b592a7ecd795370d735c629ff2122d9a6405c181a16128606ba4b26c1f67af2

Download Submit
C:\Users\Public\wingro8.ps1

Filesize
1000KB

MD5
a7c519fa08aa6c0e88292f403244958d

SHA1
66aa43c3d645041957e7da8ad263c6c8ac21875f

SHA256
6b69b5238db51c77517e5ad018160b9d1be9b9d6af217033b4cf0648e4dfe1fd

SHA512
f621dc60aed94d8571a75b9f3ef83831de09fa1baebd21e12d476c67315745b6974bd76c163c623ee765f7e181da4291aa298574397782020e0b4585911fb1bd

Download Submit
C:\Users\Public\wingro8.vbs

Filesize
689B

MD5
aeee1749af12130d3f8c69f286d82904

SHA1
1199175f300c2249c1e6fedb28efa44acffa88b1

SHA256
40dd27ce5d1b906557495317c0c0164cce12baab5dae79028b1539a65a9caf2b

SHA512
f8e944b7de50ef6200606f334b82216ea177bea391b3464bacda0db44395a346994cdb26f1bba4c83e6044f88b76cad87d89179ced0ea09114d15aeab49fffec

Download Submit
memory/348-12-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/348-19-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/348-16-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/348-0-0x00007FFA09743000-0x00007FFA09745000-memory.dmp

Filesize
8KB

Download
memory/348-11-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

Filesize
10.8MB

Download
memory/348-1-0x000002659F530000-0x000002659F552000-memory.dmp

Filesize
136KB

Download
memory/728-34-0x000001886E100000-0x000001886E134000-memory.dmp

Filesize
208KB

Download
memory/2816-35-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2816-37-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/2816-38-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2816-39-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/2816-40-0x00000000064B0000-0x000000000654C000-memory.dmp

Filesize
624KB

Download
memory/2816-41-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing