asyncrat | 74e02a922753dfedb02f3935bc7c0580c27abf56332d5e5bf5c82d4a1a30fb03

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e02a922753dfedb02f3935bc7c0580c27abf56332d5e5bf5c82d4a1a30fb03.ps1
Size

463KB
MD5

ecea62fc04e5c336d1552a0f6334c1a9
SHA1

968c6608c5e5bb5c3bd47b8f02e432b5138d6511
SHA256

74e02a922753dfedb02f3935bc7c0580c27abf56332d5e5bf5c82d4a1a30fb03
SHA512

71c048b488e7a13bb4100a3d3466acaebc4782893a5e1479e43206ed7a09b07a79119e320ca0bf21a1dc43ef09579f77ce0b0de9f37c54ea76365dcf51607fb3
SSDEEP

12288:y1SyZpgmE+NPVFL2bUCUrNlKomLJVlCzhPbw:y1SywmE+NPVFL2bUCUrNlKomLJVlCzhM

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	3336	powershell.exe
24	3336	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3336	powershell.exe
596	powershell.exe
4508	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.ipify.org
22	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 596 set thread context of 4596	596	powershell.exe	94
PID 4508 set thread context of 3244	4508	powershell.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3336	powershell.exe
3336	powershell.exe
596	powershell.exe
596	powershell.exe
4596	aspnet_compiler.exe
4508	powershell.exe
4508	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeIncreaseQuotaPrivilege	3336	powershell.exe
Token: SeSecurityPrivilege	3336	powershell.exe
Token: SeTakeOwnershipPrivilege	3336	powershell.exe
Token: SeLoadDriverPrivilege	3336	powershell.exe
Token: SeSystemProfilePrivilege	3336	powershell.exe
Token: SeSystemtimePrivilege	3336	powershell.exe
Token: SeProfSingleProcessPrivilege	3336	powershell.exe
Token: SeIncBasePriorityPrivilege	3336	powershell.exe
Token: SeCreatePagefilePrivilege	3336	powershell.exe
Token: SeBackupPrivilege	3336	powershell.exe
Token: SeRestorePrivilege	3336	powershell.exe
Token: SeShutdownPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeSystemEnvironmentPrivilege	3336	powershell.exe
Token: SeRemoteShutdownPrivilege	3336	powershell.exe
Token: SeUndockPrivilege	3336	powershell.exe
Token: SeManageVolumePrivilege	3336	powershell.exe
Token: 33	3336	powershell.exe
Token: 34	3336	powershell.exe
Token: 35	3336	powershell.exe
Token: 36	3336	powershell.exe
Token: SeIncreaseQuotaPrivilege	3336	powershell.exe
Token: SeSecurityPrivilege	3336	powershell.exe
Token: SeTakeOwnershipPrivilege	3336	powershell.exe
Token: SeLoadDriverPrivilege	3336	powershell.exe
Token: SeSystemProfilePrivilege	3336	powershell.exe
Token: SeSystemtimePrivilege	3336	powershell.exe
Token: SeProfSingleProcessPrivilege	3336	powershell.exe
Token: SeIncBasePriorityPrivilege	3336	powershell.exe
Token: SeCreatePagefilePrivilege	3336	powershell.exe
Token: SeBackupPrivilege	3336	powershell.exe
Token: SeRestorePrivilege	3336	powershell.exe
Token: SeShutdownPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeSystemEnvironmentPrivilege	3336	powershell.exe
Token: SeRemoteShutdownPrivilege	3336	powershell.exe
Token: SeUndockPrivilege	3336	powershell.exe
Token: SeManageVolumePrivilege	3336	powershell.exe
Token: 33	3336	powershell.exe
Token: 34	3336	powershell.exe
Token: 35	3336	powershell.exe
Token: 36	3336	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	4596	aspnet_compiler.exe
Token: SeDebugPrivilege	4508	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4596	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 880	1408	WScript.exe	85
PID 1408 wrote to memory of 880	1408	WScript.exe	85
PID 880 wrote to memory of 112	880	net.exe	87
PID 880 wrote to memory of 112	880	net.exe	87
PID 1408 wrote to memory of 4516	1408	WScript.exe	88
PID 1408 wrote to memory of 4516	1408	WScript.exe	88
PID 4516 wrote to memory of 596	4516	cmd.exe	90
PID 4516 wrote to memory of 596	4516	cmd.exe	90
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 596 wrote to memory of 4596	596	powershell.exe	94
PID 5108 wrote to memory of 4780	5108	WScript.exe	101
PID 5108 wrote to memory of 4780	5108	WScript.exe	101
PID 4780 wrote to memory of 2468	4780	net.exe	103
PID 4780 wrote to memory of 2468	4780	net.exe	103
PID 5108 wrote to memory of 4520	5108	WScript.exe	104
PID 5108 wrote to memory of 4520	5108	WScript.exe	104
PID 4520 wrote to memory of 4508	4520	cmd.exe	106
PID 4520 wrote to memory of 4508	4520	cmd.exe	106
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107
PID 4508 wrote to memory of 3244	4508	powershell.exe	107

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\74e02a922753dfedb02f3935bc7c0580c27abf56332d5e5bf5c82d4a1a30fb03.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\ydOFAc4ozV.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\ydOFAc4ozV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\ydOFAc4ozV.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4596

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\ydOFAc4ozV.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\ydOFAc4ozV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\ydOFAc4ozV.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7df01f46c41a9fda01595fa6a3bf529

SHA1
c34260380e57e53617a2516719fcda2334faf69c

SHA256
89df7f8a132a4e29f844636c197980ce025e3fd494d8b3ee7fb4dcc65fac883a

SHA512
ff5e4f403294965f7d7ebcf02110b5a32498fe1bb805c0036bdf43d10f79eaa68dfc52bcfdfe30761ef06e65ca8607abb552ba29b15053c96f84a4705f3cd6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcquq3id.zxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\ydOFAc4ozV.bat

Filesize
2KB

MD5
bc75d3b7b40890621a77ebdd671712a2

SHA1
6500e01471e76c5bc2f8a8bd2e42c36eca2447ea

SHA256
7c6dcb420090341fc00b5b59b0598cdf183948ca21fa321498703c61d4b17a28

SHA512
c26dcb31b70b2ce6e175eaf6d3c687c342c476ec0805518084c25c7fd306b412b0f354ba792bc451ca487c1dcdff2c21be58e00232197fd6c4ef6cb98a1e9e42

Download Submit
C:\Users\Public\Music\ydOFAc4ozV.ps1

Filesize
453KB

MD5
e00d8713d99df32b405782e54835cc0f

SHA1
eb9f4a732395aa9a877bd12c1137b42fa7ee8f04

SHA256
8c162d248940ee7851490c80390d0a6bc614cad19116b7b9c1106bf82205edc2

SHA512
72c7c9bb0eae9678238c3ae50e6ff36c204a46593d86aac27a339033ecd7040d0c5aac5d4788474f3d848285be231cf120723a11ca9df12c42bc6cbeb99ce757

Download Submit
C:\Users\Public\Music\ydOFAc4ozV.vbs

Filesize
4KB

MD5
6b404938fd0d8b33d14ee68c067ae877

SHA1
dc35627bbd35db810af81630c15eca013b8d47f0

SHA256
0fe9db1b7b090df42b9322708059b5a46518964c7eabbd5d6aad456cacf6e363

SHA512
e6d7f08a14161b4c86e836a595d8377eef3df39cf9490b7ea40ca96a1f8fe604828e9cc4ce9dd37154cc37c6efa47d3fa988fd7cc97cd6702379bbd8abea792e

Download Submit
memory/596-31-0x0000019F07670000-0x0000019F0767C000-memory.dmp

Filesize
48KB

Download
memory/3336-36-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-46-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-12-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-51-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-35-0x00007FFCE6AF3000-0x00007FFCE6AF5000-memory.dmp

Filesize
8KB

Download
memory/3336-0-0x00007FFCE6AF3000-0x00007FFCE6AF5000-memory.dmp

Filesize
8KB

Download
memory/3336-11-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-10-0x0000022A7ED80000-0x0000022A7EDA2000-memory.dmp

Filesize
136KB

Download
memory/3336-47-0x0000022A18530000-0x0000022A18A58000-memory.dmp

Filesize
5.2MB

Download
memory/3336-18-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-45-0x0000022A7FB20000-0x0000022A7FCE2000-memory.dmp

Filesize
1.8MB

Download
memory/3336-44-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-43-0x00000000069E0000-0x0000000006A46000-memory.dmp

Filesize
408KB

Download
memory/4596-42-0x0000000006F20000-0x0000000006FBC000-memory.dmp

Filesize
624KB

Download
memory/4596-39-0x0000000005C70000-0x0000000005C7A000-memory.dmp

Filesize
40KB

Download
memory/4596-38-0x0000000005C80000-0x0000000005D12000-memory.dmp

Filesize
584KB

Download
memory/4596-37-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/4596-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download