asyncrat | dcc0acdc514d4c96de42b032a952d6e5308e0ce8f122b22b7da715ef3b213854

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcc0acdc514d4c96de42b032a952d6e5308e0ce8f122b22b7da715ef3b213854.ps1
Size

463KB
MD5

c4f61fb22b14c5c83ccb6ca08743eb70
SHA1

1636e997a6c0b98414569137de0f918c881b90c6
SHA256

dcc0acdc514d4c96de42b032a952d6e5308e0ce8f122b22b7da715ef3b213854
SHA512

9219908f9239852cee93dc3ed50aafb2251ec85c8c453ad950a3361628362379638eebc06b85cb27c9b8a5d27dbda6e53f4b2ff625b44880fb83ca4dd6dc3fd4
SSDEEP

6144:jMcB4ABE+NPVFL2bUCUrNlKomLJVlCssptqzx:jLE+NPVFL2bUCUrNlKomLJVlCzsx

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	3284	powershell.exe
22	3284	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3284	powershell.exe
1432	powershell.exe
1028	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1432 set thread context of 4056	1432	powershell.exe	92
PID 1028 set thread context of 4896	1028	powershell.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3284	powershell.exe
3284	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
4056	aspnet_compiler.exe
1028	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe
Token: 36	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe
Token: 36	3284	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	4056	aspnet_compiler.exe
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4056	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3188	5028	WScript.exe	85
PID 5028 wrote to memory of 3188	5028	WScript.exe	85
PID 3188 wrote to memory of 624	3188	net.exe	87
PID 3188 wrote to memory of 624	3188	net.exe	87
PID 5028 wrote to memory of 1228	5028	WScript.exe	88
PID 5028 wrote to memory of 1228	5028	WScript.exe	88
PID 1228 wrote to memory of 1432	1228	cmd.exe	90
PID 1228 wrote to memory of 1432	1228	cmd.exe	90
PID 1432 wrote to memory of 3768	1432	powershell.exe	91
PID 1432 wrote to memory of 3768	1432	powershell.exe	91
PID 1432 wrote to memory of 3768	1432	powershell.exe	91
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 1432 wrote to memory of 4056	1432	powershell.exe	92
PID 5060 wrote to memory of 4852	5060	WScript.exe	102
PID 5060 wrote to memory of 4852	5060	WScript.exe	102
PID 4852 wrote to memory of 3676	4852	net.exe	104
PID 4852 wrote to memory of 3676	4852	net.exe	104
PID 5060 wrote to memory of 1408	5060	WScript.exe	105
PID 5060 wrote to memory of 1408	5060	WScript.exe	105
PID 1408 wrote to memory of 1028	1408	cmd.exe	107
PID 1408 wrote to memory of 1028	1408	cmd.exe	107
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108
PID 1028 wrote to memory of 4896	1028	powershell.exe	108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dcc0acdc514d4c96de42b032a952d6e5308e0ce8f122b22b7da715ef3b213854.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\8dOrpAnv0c.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\8dOrpAnv0c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\8dOrpAnv0c.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4056

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\8dOrpAnv0c.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\8dOrpAnv0c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\8dOrpAnv0c.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
610B

MD5
1ad77a942a2fbe28454ad604bbbade5e

SHA1
262b8e1be25ace6517d56565b684b48b4f21db52

SHA256
7e7eda95bfa451566dd8df5d7bee0fef7ebf1cb69c66f88052cc329242381d99

SHA512
a7af03457f5f64f309133356cba7cfdcb5b2013c2645b43835fb6154dc26b7d61e4f315248b617804665cd82136ec9c345b4046bc462742b7c55ce784791ac96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93e57d1f6dc41d1e77a7c42e6d8fcbec

SHA1
f3373fb6fdd688171739f951b03053d6577d75c0

SHA256
302c8d2dac5ceda12cec45a94777a2c25be86e742a3b3f3c8790c8bd97b2d06a

SHA512
c291fd1341852182b8946dd22a92aaeaf950820716bd3c4c167af97f9db970875fe571e69309c85b4c0e6ec963170754b958835723e4ae9c7d2f1bd9e2e81ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trt5avsw.xzz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\8dOrpAnv0c.bat

Filesize
2KB

MD5
5faa0532bc7560961e6feb3ca30d20fc

SHA1
693f7b82b1c03fa5339ec51083c98519325164aa

SHA256
c7e358517e531b82eff0a4391fccd79f238bc8977b8ba4549369c1185ea4dafc

SHA512
034aa96a57f3277b90e66b00de94a565c45339e02c742bf3b4c4dbedfda64991dfb9e1a51e995abf1877813bd4915a625478b6a5fb828b3935f72a7aee96b1bc

Download Submit
C:\Users\Public\Music\8dOrpAnv0c.ps1

Filesize
453KB

MD5
dfc24069261dc85eda81abcb07e55c69

SHA1
f630b39909c81d172d434bd2b59ec3a2fd855a97

SHA256
75938ac69c673d67db37935a2c882a56d21f8085a326a61033a41c61a969353c

SHA512
705cffd220ef303b45cfff7687946e52098166c0c7bf4f6973947786372a789df85233ebcd67b302a9b255fc08262e367356b057024190b23ef13d1a99e4e3eb

Download Submit
C:\Users\Public\Music\8dOrpAnv0c.vbs

Filesize
4KB

MD5
8ffaf345c78886408f93b4a885cca939

SHA1
c1e564f50a3809b9fceaf795a87a511255542e34

SHA256
e7405c35132e9b8cf59780bed93b7ba3d31609723e9389e3dc9de727b604fff7

SHA512
9e4aa01ecfa78232b8fcd08d1378b9870b4f49f4904212e3d6366fc09e5cd975cdf7851faa86197611e59b0b87f0d1d5871da4b2ad0797d6e00c5accd3e0f43e

Download Submit
memory/1432-31-0x000002829B3B0000-0x000002829B3BC000-memory.dmp

Filesize
48KB

Download
memory/3284-44-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-46-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-10-0x0000027DEADC0000-0x0000027DEADE2000-memory.dmp

Filesize
136KB

Download
memory/3284-35-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

Filesize
8KB

Download
memory/3284-51-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-18-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-38-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-11-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-12-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-47-0x0000027DEBB30000-0x0000027DEC058000-memory.dmp

Filesize
5.2MB

Download
memory/3284-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

Filesize
8KB

Download
memory/3284-45-0x0000027DEB430000-0x0000027DEB5F2000-memory.dmp

Filesize
1.8MB

Download
memory/4056-37-0x0000000005BD0000-0x0000000005C62000-memory.dmp

Filesize
584KB

Download
memory/4056-43-0x00000000068A0000-0x0000000006906000-memory.dmp

Filesize
408KB

Download
memory/4056-42-0x0000000006DE0000-0x0000000006E7C000-memory.dmp

Filesize
624KB

Download
memory/4056-39-0x0000000005D60000-0x0000000005D6A000-memory.dmp

Filesize
40KB

Download
memory/4056-36-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/4056-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download