asyncrat | a1c7157e3d321dc5966c65601335e053edb2c4a1e6cf4f1f678b974a4f2dbf26

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Size

841KB
MD5

7ef40963a365cadbbc01e789477f9e6a
SHA1

df6e734860b53d92611fc32fd353a8df4aa19cd8
SHA256

623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772
SHA512

505e784ec07b5e29f975ac016495a607713f6c1cf6a2d9c6e380873943dd3d64f0ec950cf5f8569a0cef69b88d1cfce1642cdb16a9d989a510e024c2494a2e01
SSDEEP

384:obFjHXqpsYeHEtwKL8NPZj0avxavVoOJjhakb1iUOPLayavjPibWjbInejW3atjQ:obFjHXqpsYeHEtwKfisbW4X3E

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

akconsult.linkpc.net:9872

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
details.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description pid process target process

PID 2600 set thread context of 2992 2600 MSBuild.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install.vbs	MSBuild.exe

description	pid	process	target process
PID 2600 set thread context of 2992	2600	MSBuild.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exeMSBuild.exeMSBuild.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exeMSBuild.execsc.exe

description	pid	process	target process
PID 2428 wrote to memory of 2600	2428	WScript.exe	MSBuild.exe
PID 2428 wrote to memory of 2600	2428	WScript.exe	MSBuild.exe
PID 2428 wrote to memory of 2600	2428	WScript.exe	MSBuild.exe
PID 2428 wrote to memory of 2600	2428	WScript.exe	MSBuild.exe
PID 2600 wrote to memory of 2312	2600	MSBuild.exe	csc.exe
PID 2600 wrote to memory of 2312	2600	MSBuild.exe	csc.exe
PID 2600 wrote to memory of 2312	2600	MSBuild.exe	csc.exe
PID 2600 wrote to memory of 2312	2600	MSBuild.exe	csc.exe
PID 2312 wrote to memory of 2592	2312	csc.exe	cvtres.exe
PID 2312 wrote to memory of 2592	2312	csc.exe	cvtres.exe
PID 2312 wrote to memory of 2592	2312	csc.exe	cvtres.exe
PID 2312 wrote to memory of 2592	2312	csc.exe	cvtres.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2992	2600	MSBuild.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Public\Avast.xml
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4vt0h5p\q4vt0h5p.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB903.tmp" "c:\Users\Admin\AppData\Local\Temp\q4vt0h5p\CSC3188BB6C710449B885D045272E4EA127.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB903.tmp

Filesize
1KB

MD5
c324f67a4a844fe5f2f5101d7a3ef8b2

SHA1
8cefb5e36c95f9bd0c8675ed7728963ad308e96f

SHA256
0e2b1faa82c368c593c776352acc35c6532201687e5a9c21d018572791aff1c4

SHA512
807f78cdab21c1ba7ec8cb339300de15646cb22abd4610b46c276804ea2b7dce583e48be1345bdb02f2facb75e1faee7b948241654d68cce7140d669f68de92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q4vt0h5p\q4vt0h5p.dll

Filesize
35KB

MD5
a800e95884d7769f6a23338b3cd17e55

SHA1
d8c72c1121be3b1b8f339d8bed843b4511ebaa65

SHA256
8e67e71a88f4b5e267191290f5b3855aa25e43419a5c8ce32c49e2dea272d664

SHA512
9aa289234d8b90dd0d2100d156c3df0fc1bfeb7d73c90c28644419aed5c7f2e9ef79bb60cc540a955c67cf05ebe13eb446150a4beeac8bcfa3e7c0700c141969

Download Submit
C:\Users\Admin\AppData\Local\Temp\q4vt0h5p\q4vt0h5p.pdb

Filesize
13KB

MD5
ffac737049261eca309cdfddbbd035ac

SHA1
9c7cc7ed47ebbc9a7e84e38ae6d9b677591e1f60

SHA256
873aec69a503c7310c5ba6335e0a42da42232c38f7a43f828ff2822dd720ae33

SHA512
e8dab8dfb5e9a510b7977975b364361d9c621ba738f84cea73b4a360bcf61b8290d72a5e2d8bfa8e44d5cf33c07d4961f886699022c121549a021da748429313

Download Submit
C:\Users\Public\Avast.xml

Filesize
107KB

MD5
34caa2941ff3b4fa2f405e812c1fdaf5

SHA1
54254bc40b8cad04a4d15d445455f85763519d79

SHA256
6e5735e27b99106d231b14d273e28cbbb21612a1018db90abb752a6d4fe2fa26

SHA512
346e07d22334da5f10aaed86d98fb765769b5a24812e95de675fabf52671c3c081919d669688547c64f4e3c71916c4a60ff6a241421a1e9d25a552ffffbc9386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4vt0h5p\CSC3188BB6C710449B885D045272E4EA127.TMP

Filesize
652B

MD5
cb879c993795dcd0ca1c51b2ff1c52bf

SHA1
125c09f823ea869c7968bf11b0d8196f4f038682

SHA256
be63439a96e454ccd4b3d60d3031708f5867d15a3840aa9aa6fa8c78f024289f

SHA512
654d63b4dca470d236c4783b0a8d86fcb76704519cc39fad7c4e8ec7a0924096b35f5494000682fc7d69afc02c54afbae99e3acc95336ed35d1dacf789d52c3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4vt0h5p\q4vt0h5p.0.cs

Filesize
106KB

MD5
1c0b791c7389870b8f9dd05767a44561

SHA1
35c1c2ecedb0e0e948e79e1f04c7af804acc3b21

SHA256
d46f4dc57accb0914ba1c4607603c74872a0dfc80d13e39690beb5c61c403604

SHA512
2bbde078531e24cda4699fcf90a00bc9c97c536f60d94cfcec5f99b0d573f516b1b958bc13a7f7c38a6cfb9192b5c140259a767dffc179981c1ea99899fe2354

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4vt0h5p\q4vt0h5p.cmdline

Filesize
660B

MD5
24a971f05167dc8a9e3d452e0549a924

SHA1
f043f339da455063d55a2735f5892722b92d8cce

SHA256
0c965d27bb1209719b0222d4dafbe41a31c84cb3436465cbb2f46c6a9a3a8b1d

SHA512
6c91c55e4e269b1a65fca42dcc76a605696faf2532ac0c133099b68106b2d2f728db4e314da222e29eb92dcc86c5750b29c83ce5ca425afa62214a3a77e2731b

Download Submit
memory/2600-8-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/2600-29-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2600-10-0x0000000005490000-0x00000000057F4000-memory.dmp

Filesize
3.4MB

Download
memory/2600-1-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2600-7-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download
memory/2600-6-0x00000000055C0000-0x00000000056E2000-memory.dmp

Filesize
1.1MB

Download
memory/2600-5-0x0000000005490000-0x00000000055B2000-memory.dmp

Filesize
1.1MB

Download
memory/2600-4-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-25-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2600-2-0x0000000001140000-0x0000000001180000-memory.dmp

Filesize
256KB

Download
memory/2600-28-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/2600-9-0x0000000005490000-0x000000000560A000-memory.dmp

Filesize
1.5MB

Download
memory/2600-42-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-40-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2992-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download