Decoding AsyncRAT: From ISO file to C2 domain
ASYNC RAT (Remote Access Trojan) is a malware designed for remote control of infected systems. The malware is commonly used to steal sensitive information, deploy additional malware, and maintain persistent access to compromised networks. Once installed on a target machine, ASYNC RAT can perform various malicious activities, including keylogging, screen capturing, file exfiltration, and executing commands.
Our analysis reveals that ASYNC RAT employs a common technique where it hosts the second-stage payload on a compromised WordPress website. This technique involves hiding payload strings within the image file, making detection and analysis more challenging.
SHA | Hash |
---|---|
SHA256 hash: | 7d801d3e93c4a75e2cb7a3b1c1798f30a2451fb8a3e95b5f14388ab74637cae6 |
SHA3-384 hash: | cebc83031a2459ba9bab9a36f20ac4e3d65bfb4b6d2772d727659adf956cf6f56a2ffce0fc57e5810167c275e717d0f4 |
SHA1 hash: | 7e0f384ccef354f6baaf39ba1ba8d7e0a9d31567 |
MD5 hash: | c890161dabcf2216d6fd49ba633c7180 |
humanhash | kentucky-missouri-autumn-four |
File name: | bill_lnvoice_582838983848.iso |
Initial Payload Analysis
The payload is delivered via an email attachment, which is an ISO file. Clicking the ISO file auto-mounts the image, revealing a VBS file.
Using a text editor we are able to see the code from the VBS file. The obfuscation method involves storing the payload string in randomly named variables.
By replacing the variables and comments, we de-obfuscate the code. The code uses wscript
to execute the payload. It downloads a string from an image hosted on a WordPress site.
After identifying the image path, we can use wget
to extract the string for further analysis:
wget http://totalhorsehealth.com/wp-admin/images/images/img.jpg
We can use the strings
utility to extract the string from the image and save the output for further analysis:
strings .\img.jpg > stage_2.txt
Reviewing the code, we observe it is de-obfuscated using the same method, where variables and comments are extensively used.
Using find and replace, we can fully de-obfuscate the code. Once the code is readable, we see the following:
- The script creates a new folder called 'unlimited' where it saves the PowerShell scripts.
- It sleeps for 500 milli-seconds before execution.
- It contains custom functions that convert hard-coded hex values to executable.
Further down the code, we identify variables containing hex codes:
GIT.dll
stage_3
We can copy the hex values to CyberChef and use the "From Hex" function. Converting from hex, we see the magic signature for the file (MZ), indicating the output is a binary. We can save the binary from CyberChef.
After saving both files, we use the file hashes to confirm that the files are malicious via VirusTotal.
RAT analysis
Now that we have the executable we can de-compile the PE files. We can start by using Detect it easy (DIE)
to identify if the executable are packed and the file mode.
Using DIE
we confirm the binaries are "VB.NET" files and they are compiled in "32-bit" mode. This is useful information since, we can use the right application to de-compile the binaries.
Using DNSpy to de-compile PE files
We can use DNSpy to open the executable. By reading through the functions, we can confirm that they are obfuscated with random variable names. This common tactic makes it harder for analysts to understand the functionalities.
First, we locate the main function. This is done by iterating through all the functions listed on the left-hand side.
After finding the main function, we can set breakpoints to step through all the lines of code and see what the variables are storing in clear text.
Looping through all the variables in debug mode, we find the properties for the AsyncRAT binary as well as the C2.
AsyncRat Properties:
- C2: helpher[.]linkpc[.]net
- Ports: 6666
- Version: Edit 3LOSH RAT
- Mutex: AsyncMutex_6SI8OkPnk
- Filename: DD1Pwy8Xp7GDorQqNd6IzllLol9KIyHs
From the code, we see that the malware is creating persistence via scheduled tasks and by adding a registry key.
The malware can also be seen logging everything and saving it on the host so that it can be sent to the C2.
Using Validin to extract all C2s
Now that we have identified a C2 domain, we can use Validin to extract all potentially compromised subdomains.
We select the subdomains and download the data as JSON.
Next, we can write a JSON Path expression to extract all domains that have been categorised as 'malware'.
$..[?(@.category =~ /.*[Mm]alware.*/)].key
Finally, we can use CyberChef to beautify the data and extract all subdomains.
List of compromised sub domains
0.linkpc.net
adre2.0.linkpc.net
www.adre2.0.linkpc.net
olympus1000.linkpc.net
www.olympus1000.linkpc.net
reak2000.linkpc.net
bebo2000.linkpc.net
cs2000.linkpc.net
port2000.linkpc.net
bunker3000.linkpc.net
zhuifeng7000.linkpc.net
mmksba100.linkpc.net
ahmad100.linkpc.net
www.ahmad100.linkpc.net
trainscored100.linkpc.net
webdisk.trainscored100.linkpc.net
cpanel.trainscored100.linkpc.net
mail.trainscored100.linkpc.net
webmail.trainscored100.linkpc.net
cpcalendars.trainscored100.linkpc.net
cpcontacts.trainscored100.linkpc.net
www.trainscored100.linkpc.net
ihate100.linkpc.net
webdisk.ihate100.linkpc.net
cpanel.ihate100.linkpc.net
mail.ihate100.linkpc.net
webmail.ihate100.linkpc.net
cpcalendars.ihate100.linkpc.net
cpcontacts.ihate100.linkpc.net
www.ihate100.linkpc.net
lj100.linkpc.net
saludtotal100.linkpc.net
workbox100.linkpc.net
www.workbox100.linkpc.net
moh200.linkpc.net
mm.moh200.linkpc.net
xps8300.linkpc.net
11500.linkpc.net
mail.11500.linkpc.net
cps68500.linkpc.net
run500.linkpc.net
hp500.linkpc.net
11700.linkpc.net
www.11700.linkpc.net
1800.linkpc.net
run900.linkpc.net
ahmad00.linkpc.net
www.ahmad00.linkpc.net
ygaxzyxvid00.linkpc.net
www.ygaxzyxvid00.linkpc.net
asdzd00.linkpc.net
joi00.linkpc.net
10010.linkpc.net
qgmjrobinson2010.linkpc.net
idc010.linkpc.net
woshishui.idc010.linkpc.net
lixianjun.idc010.linkpc.net
110.linkpc.net
tp78.110.linkpc.net
ed.110.linkpc.net
page.110.linkpc.net
ruidian.110.linkpc.net
alpha110.linkpc.net
vpsgratis20210.linkpc.net
www.vpsgratis20210.linkpc.net
ss310.linkpc.net
yxl0410.linkpc.net
ricky410.linkpc.net
slawa10.linkpc.net
terminald10.linkpc.net
www2-etcupcard-poj10.linkpc.net
fomen10.linkpc.net
top10.linkpc.net
windows10.linkpc.net
stanley10.linkpc.net
www.stanley10.linkpc.net
20.linkpc.net
dada2020.linkpc.net
hoawrang2020.linkpc.net
essays-beavercreek2020.linkpc.net
kakobik2020.linkpc.net
jackson2020.linkpc.net
www.jackson2020.linkpc.net
moonkay220.linkpc.net
hxt.moonkay220.linkpc.net
ym520.linkpc.net
wh920.linkpc.net
webdisk.wh920.linkpc.net
cpanel.wh920.linkpc.net
mail.wh920.linkpc.net
webmail.wh920.linkpc.net
cpcalendars.wh920.linkpc.net
cpcontacts.wh920.linkpc.net
www.wh920.linkpc.net
f20.linkpc.net
oran20.linkpc.net
fgc2030.linkpc.net
gnetomy330.linkpc.net
unrevsy330.linkpc.net
poi.unrevsy330.linkpc.net
bell430.linkpc.net
multidb.bell430.linkpc.net
se.bell430.linkpc.net
fm.bell430.linkpc.net
io.bell430.linkpc.net
fmtest.bell430.linkpc.net
enginv.bell430.linkpc.net
gorbachev19310302to20220830.linkpc.net
guamini1140.linkpc.net
donchirs340.linkpc.net
www.donchirs340.linkpc.net
puucob440.linkpc.net
pen.puucob440.linkpc.net
christopher40.linkpc.net
50.linkpc.net
net.50.linkpc.net
xicp.net.50.linkpc.net
scso.xicp.net.50.linkpc.net
www-etuloadcardup-21o50.linkpc.net
napoli160.linkpc.net
shopc360.linkpc.net
www.shopc360.linkpc.net
gadge360.linkpc.net
www.gadge360.linkpc.net
brookedacia1960.linkpc.net
felipedahlia1960.linkpc.net
holdenjeana1960.linkpc.net
jaxshakira1960.linkpc.net
ravilisbeth1960.linkpc.net
emlynmaureen1960.linkpc.net
admin1960.linkpc.net
www.admin1960.linkpc.net
fritzsharon1960.linkpc.net
carsonjojo1960.linkpc.net
kedrickkris1960.linkpc.net
malikrosy1960.linkpc.net
redx60.linkpc.net
kentucky60.linkpc.net
moein2470.linkpc.net
yjoo770.linkpc.net
allanangelica1970.linkpc.net
hanjada1970.linkpc.net
dariusnala1970.linkpc.net
clintonaudriana1970.linkpc.net
jessiemartina1970.linkpc.net
sebastianmollie1970.linkpc.net
bastianhaleigh1970.linkpc.net
rajriver1970.linkpc.net
thadvenus1970.linkpc.net
westinliv1970.linkpc.net
murphyharmony1970.linkpc.net
red3080.linkpc.net
dm180.linkpc.net
www2-etdataups-v8780.linkpc.net
yestincharla1980.linkpc.net
seamusrhona1980.linkpc.net
teddydale1980.linkpc.net
delvinjillian1980.linkpc.net
carringtonkayley1980.linkpc.net
mehtabamberly1980.linkpc.net
abode80.linkpc.net
jenfbe2390.linkpc.net
mp1690.linkpc.net
xps400.mp1690.linkpc.net
ubf3n8htp690.linkpc.net
www.ubf3n8htp690.linkpc.net
home790.linkpc.net
www.home790.linkpc.net
1311990.linkpc.net
raheemkeisha1990.linkpc.net
charltonrabia1990.linkpc.net
jefferymaria1990.linkpc.net
kaynekarissa1990.linkpc.net
boblottie1990.linkpc.net
prakashshawnette1990.linkpc.net
excell1990.linkpc.net
webdisk.excell1990.linkpc.net
cpanel.excell1990.linkpc.net
mail.excell1990.linkpc.net
webmail.excell1990.linkpc.net
cpcalendars.excell1990.linkpc.net
cpcontacts.excell1990.linkpc.net
www.excell1990.linkpc.net
binth90.linkpc.net
kaiyuop90.linkpc.net
www.kaiyuop90.linkpc.net
hyp90.linkpc.net
www.hyp90.linkpc.net
kouuer90.linkpc.net
qwdf.kouuer90.linkpc.net
waqyt0g0.linkpc.net
vusig0.linkpc.net
s6cur301we11farg0.linkpc.net
webdisk.s6cur301we11farg0.linkpc.net
cpanel.s6cur301we11farg0.linkpc.net
mail.s6cur301we11farg0.linkpc.net
webmail.s6cur301we11farg0.linkpc.net
cpcalendars.s6cur301we11farg0.linkpc.net
cpcontacts.s6cur301we11farg0.linkpc.net
www.s6cur301we11farg0.linkpc.net
c0nnectwellsfarg0.linkpc.net
www.c0nnectwellsfarg0.linkpc.net
41h9rp84y4h0.linkpc.net
www.41h9rp84y4h0.linkpc.net
www2-etupdatas-6zmh0.linkpc.net
radi0.linkpc.net
nocal0.linkpc.net
www.nocal0.linkpc.net
paypal0.linkpc.net
www.paypal0.linkpc.net
aladdin0.linkpc.net
www.aladdin0.linkpc.net
www2-rtomelsal-wrvn0.linkpc.net
www2-etupdatacards-9zep0.linkpc.net
lujp0.linkpc.net
www.lujp0.linkpc.net
anz-com-inetbank-bankmain-asp0.linkpc.net
0nepmq0.linkpc.net
dxyasser0.linkpc.net
www.dxyasser0.linkpc.net
jzkj9tils0.linkpc.net
www.jzkj9tils0.linkpc.net
stars0.linkpc.net
lz0.linkpc.net
qwertz0.linkpc.net
net03-1.linkpc.net
a65231.net03-1.linkpc.net
wanminga1.net03-1.linkpc.net
zdw8842.net03-1.linkpc.net
1301111333.net03-1.linkpc.net
369287773.net03-1.linkpc.net
231083.net03-1.linkpc.net
820660183.net03-1.linkpc.net
wo398425375.net03-1.linkpc.net
95766607.net03-1.linkpc.net
59618928.net03-1.linkpc.net
a155121999.net03-1.linkpc.net
luqing669abc.net03-1.linkpc.net
yidaxianfeng.net03-1.linkpc.net
huolilei.net03-1.linkpc.net
wyok.net03-1.linkpc.net
zhaidongbo.net03-1.linkpc.net
menger.net03-1.linkpc.net
yyjtxy.net03-1.linkpc.net
raspberrypi3-1.linkpc.net
google-1.linkpc.net
places-north-1.linkpc.net
live-us-dat-1.linkpc.net
crg-01.linkpc.net
mmksba100.linkpc.net
mmksba100.linkpc.net
workbox100.linkpc.net
workbox100.linkpc.net
hp500.linkpc.net
ahmad00.linkpc.net
ahmad00.linkpc.net
asdzd00.linkpc.net
stanley10.linkpc.net
stanley10.linkpc.net
dada2020.linkpc.net
kakobik2020.linkpc.net
oran20.linkpc.net
oran20.linkpc.net
donchirs340.linkpc.net
donchirs340.linkpc.net
admin1960.linkpc.net
admin1960.linkpc.net
binth90.linkpc.net
dxyasser0.linkpc.net
dxyasser0.linkpc.net
google-1.linkpc.net
IOCs
C2: helpher[.]linkpc[.]net
==================================================
Filename : binary.exe
MD5 : 7647b2fd4e998efa942aa3e6607411e0
SHA1 : c1bf9d69b90a686575c86d188e5ee88a66b72298
SHA-256 : a73e8516105a95e699bf1ac4cb1ec7a28452c41aba1045e0483eb71dbbebd162
==================================================
Filename : GIT.dll
MD5 : 296100e39cf44e1250532c9440d48ed3
SHA1 : c44ba687f87b015dd06f671f5eb7f8e25a28ec2a
SHA-256 : 0feb59cdb7082845e568eb2829a923a2ffaad84abaff43ef3eda416578470155
==================================================