asyncrat | 51c2ce9149de3db70b215296b809528da5b3adbf79d8dcbd67d24e7f4cbbf28f

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c2ce9149de3db70b215296b809528da5b3adbf79d8dcbd67d24e7f4cbbf28f.ps1
Size

463KB
MD5

a0566a1037f123125a5a2ce8efcb166e
SHA1

09e1c8520bce65ba13c5bb14aad4f04e6cad6da3
SHA256

51c2ce9149de3db70b215296b809528da5b3adbf79d8dcbd67d24e7f4cbbf28f
SHA512

cf80eb3483305b93c827c51fe422715af41d197cede82bd297ed8393ea5db66cc98279e0048f66992344e84b479e8db632d93a462905f5c8bc0786a0708b521f
SSDEEP

3072:JjHXlNuE+NPVFL2bUCUrNlKomLJVlCsspIF:JjqE+NPVFL2bUCUrNlKomLJVlCsspIF

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
21	32	powershell.exe
23	32	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
2428	powershell.exe
1624	powershell.exe
32	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.ipify.org
21	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 3676	1624	powershell.exe	91
PID 2132 set thread context of 3280	2132	powershell.exe	106
PID 2428 set thread context of 2980	2428	powershell.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
32	powershell.exe
32	powershell.exe
1624	powershell.exe
1624	powershell.exe
3676	aspnet_compiler.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
2428	powershell.exe
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	powershell.exe
Token: SeIncreaseQuotaPrivilege	32	powershell.exe
Token: SeSecurityPrivilege	32	powershell.exe
Token: SeTakeOwnershipPrivilege	32	powershell.exe
Token: SeLoadDriverPrivilege	32	powershell.exe
Token: SeSystemProfilePrivilege	32	powershell.exe
Token: SeSystemtimePrivilege	32	powershell.exe
Token: SeProfSingleProcessPrivilege	32	powershell.exe
Token: SeIncBasePriorityPrivilege	32	powershell.exe
Token: SeCreatePagefilePrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeShutdownPrivilege	32	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeSystemEnvironmentPrivilege	32	powershell.exe
Token: SeRemoteShutdownPrivilege	32	powershell.exe
Token: SeUndockPrivilege	32	powershell.exe
Token: SeManageVolumePrivilege	32	powershell.exe
Token: 33	32	powershell.exe
Token: 34	32	powershell.exe
Token: 35	32	powershell.exe
Token: 36	32	powershell.exe
Token: SeIncreaseQuotaPrivilege	32	powershell.exe
Token: SeSecurityPrivilege	32	powershell.exe
Token: SeTakeOwnershipPrivilege	32	powershell.exe
Token: SeLoadDriverPrivilege	32	powershell.exe
Token: SeSystemProfilePrivilege	32	powershell.exe
Token: SeSystemtimePrivilege	32	powershell.exe
Token: SeProfSingleProcessPrivilege	32	powershell.exe
Token: SeIncBasePriorityPrivilege	32	powershell.exe
Token: SeCreatePagefilePrivilege	32	powershell.exe
Token: SeBackupPrivilege	32	powershell.exe
Token: SeRestorePrivilege	32	powershell.exe
Token: SeShutdownPrivilege	32	powershell.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeSystemEnvironmentPrivilege	32	powershell.exe
Token: SeRemoteShutdownPrivilege	32	powershell.exe
Token: SeUndockPrivilege	32	powershell.exe
Token: SeManageVolumePrivilege	32	powershell.exe
Token: 33	32	powershell.exe
Token: 34	32	powershell.exe
Token: 35	32	powershell.exe
Token: 36	32	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	3676	aspnet_compiler.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3676	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 776	3740	WScript.exe	85
PID 3740 wrote to memory of 776	3740	WScript.exe	85
PID 776 wrote to memory of 3780	776	net.exe	87
PID 776 wrote to memory of 3780	776	net.exe	87
PID 3740 wrote to memory of 3548	3740	WScript.exe	88
PID 3740 wrote to memory of 3548	3740	WScript.exe	88
PID 3548 wrote to memory of 1624	3548	cmd.exe	90
PID 3548 wrote to memory of 1624	3548	cmd.exe	90
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 1624 wrote to memory of 3676	1624	powershell.exe	91
PID 648 wrote to memory of 4936	648	WScript.exe	99
PID 648 wrote to memory of 4936	648	WScript.exe	99
PID 4936 wrote to memory of 2096	4936	net.exe	101
PID 4936 wrote to memory of 2096	4936	net.exe	101
PID 648 wrote to memory of 1796	648	WScript.exe	102
PID 648 wrote to memory of 1796	648	WScript.exe	102
PID 1796 wrote to memory of 2132	1796	cmd.exe	104
PID 1796 wrote to memory of 2132	1796	cmd.exe	104
PID 2132 wrote to memory of 5000	2132	powershell.exe	105
PID 2132 wrote to memory of 5000	2132	powershell.exe	105
PID 2132 wrote to memory of 5000	2132	powershell.exe	105
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 2132 wrote to memory of 3280	2132	powershell.exe	106
PID 4408 wrote to memory of 2228	4408	WScript.exe	110
PID 4408 wrote to memory of 2228	4408	WScript.exe	110
PID 2228 wrote to memory of 3656	2228	net.exe	112
PID 2228 wrote to memory of 3656	2228	net.exe	112
PID 4408 wrote to memory of 2460	4408	WScript.exe	113
PID 4408 wrote to memory of 2460	4408	WScript.exe	113
PID 2460 wrote to memory of 2428	2460	cmd.exe	115
PID 2460 wrote to memory of 2428	2460	cmd.exe	115
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116
PID 2428 wrote to memory of 2980	2428	powershell.exe	116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\51c2ce9149de3db70b215296b809528da5b3adbf79d8dcbd67d24e7f4cbbf28f.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\1asrjDI783.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\1asrjDI783.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\1asrjDI783.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3676

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\1asrjDI783.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\1asrjDI783.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\1asrjDI783.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3280

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\1asrjDI783.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\1asrjDI783.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\1asrjDI783.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7df01f46c41a9fda01595fa6a3bf529

SHA1
c34260380e57e53617a2516719fcda2334faf69c

SHA256
89df7f8a132a4e29f844636c197980ce025e3fd494d8b3ee7fb4dcc65fac883a

SHA512
ff5e4f403294965f7d7ebcf02110b5a32498fe1bb805c0036bdf43d10f79eaa68dfc52bcfdfe30761ef06e65ca8607abb552ba29b15053c96f84a4705f3cd6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09544fa598aa7eb4c5921100241b7a0b

SHA1
b86c8ab362c3a721cd5c09861dafb784b358a40a

SHA256
68ef0fcf3c19043510ee2ee15dd72982ab475a42d1b362621dcaef1ec4970d5e

SHA512
9e29ec201873e36c1443b91a819177ead660bfcb821c67dcf50bb2f1ec224f3761ab9d620904c5e017252fd6b71492a3c8ddf350970464a39dcfa6dc7f2d9270

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0venstk4.dsa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\1asrjDI783.bat

Filesize
2KB

MD5
11e5bd60f47cabd544689686e90ec983

SHA1
a0c50c6ce6fb1c76a49ad3b7473ae115a9473586

SHA256
796359f255098ba6f1aeb601bee332c499f6480bf8268eba81c8afa2e406bf03

SHA512
4c7e178fa8683d2e4f4e7876cb7564e81d209e459f91cc4dda45482f17ceacbe6c1fbc08dd77afec854f9c6d4e2882867a27786e88ca9785162c70130a5f938c

Download Submit
C:\Users\Public\Music\1asrjDI783.ps1

Filesize
453KB

MD5
c898ca5977afbf542dbccf9bcd3fdec7

SHA1
03deac6e826609b94f92e202ae19058268adb3ac

SHA256
d8527365ff27229d55b5033c6acedd6288ede1713ebd02d7e6d67c7949310074

SHA512
9c56fab5e5c0f4d5d79b21e8ba17fc7835d176d300fb6af30809fc7c6ff97083d3ec0af0e93918ff58cc45f45ca0c2d9bc9d26ddc702aa3abfb96822c8250ffa

Download Submit
C:\Users\Public\Music\1asrjDI783.vbs

Filesize
4KB

MD5
6a982f2ddd0049ae0aeae977a423b777

SHA1
b595d62a2d62817f0f2128d5587e2efac3bee8dc

SHA256
119ca11e66b8d4a45cda8085ae6664b25fbffe0486b7080c4405254dda8166a7

SHA512
44ae539ff8133189a0305cb8645fe37b7dbd11e737cf39ee4569ba3e13b0d31401f0fc3fbe827039687f3c987bd423e6a006436d93554b28c76f1f9e2db81da5

Download Submit
memory/32-44-0x000002237FB20000-0x000002237FCE2000-memory.dmp

Filesize
1.8MB

Download
memory/32-18-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-35-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-6-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-11-0x000002237F480000-0x000002237F4A2000-memory.dmp

Filesize
136KB

Download
memory/32-12-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-39-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

Filesize
8KB

Download
memory/32-50-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-46-0x000002231C760000-0x000002231CC88000-memory.dmp

Filesize
5.2MB

Download
memory/32-0-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

Filesize
8KB

Download
memory/32-45-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-31-0x0000028276C10000-0x0000028276C1C000-memory.dmp

Filesize
48KB

Download
memory/3676-43-0x0000000006970000-0x00000000069D6000-memory.dmp

Filesize
408KB

Download
memory/3676-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3676-42-0x0000000006E40000-0x0000000006EDC000-memory.dmp

Filesize
624KB

Download
memory/3676-38-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/3676-37-0x0000000005C40000-0x0000000005CD2000-memory.dmp

Filesize
584KB

Download
memory/3676-36-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download