asyncrat | 0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c

General

Target

SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
Size

1.5MB
MD5

73e662d533f7469a086abb6ec7de6c94
SHA1

86d13d647c3f810adccb2d4633ecbe7aee5be66a
SHA256

0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c
SHA512

37bd9d553945f77789d6005962b07891f3b4328207f8cc311be200595043f0a1f0f9b295e4dadb7ecadce2eabf15bfbc940ca0145ead9f65eb14a589eb7e8960

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

haberci.ddns.net:55501

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
7qeeypCsaUzRqpps4mCoM0L2H5Rezedz
anti_detection
false
autorun
true
bdos
true
delay
clientx
host
haberci.ddns.net
hwid
5
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
55501
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/756-10-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/756-11-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/756-13-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/608-35-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/608-38-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

clientx.execlientx.exe

pid process

512 clientx.exe
608 clientx.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

676 cmd.exe

pid	process
512	clientx.exe
608	clientx.exe

pid	process
676	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.9779.49.9585.execlientx.exe

description	pid	process	target process
PID 384 set thread context of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 512 set thread context of 608	512	clientx.exe	clientx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

808 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1152 timeout.exe

pid	process
808	schtasks.exe

pid	process
1152	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exeSecuriteInfo.com.Trojan.Inject4.9779.49.9585.execlientx.exe

pid	process
384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
512	clientx.exe
512	clientx.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exeSecuriteInfo.com.Trojan.Inject4.9779.49.9585.execlientx.execlientx.exe

description	pid	process
Token: SeDebugPrivilege	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
Token: SeDebugPrivilege	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
Token: SeDebugPrivilege	512	clientx.exe
Token: SeDebugPrivilege	608	clientx.exe
Token: SeDebugPrivilege	608	clientx.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exeSecuriteInfo.com.Trojan.Inject4.9779.49.9585.execmd.execmd.execlientx.exe

description	pid	process	target process
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 384 wrote to memory of 756	384	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
PID 756 wrote to memory of 632	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 632	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 632	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 632	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 676	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 676	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 676	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 756 wrote to memory of 676	756	SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe	cmd.exe
PID 632 wrote to memory of 808	632	cmd.exe	schtasks.exe
PID 632 wrote to memory of 808	632	cmd.exe	schtasks.exe
PID 632 wrote to memory of 808	632	cmd.exe	schtasks.exe
PID 632 wrote to memory of 808	632	cmd.exe	schtasks.exe
PID 676 wrote to memory of 1152	676	cmd.exe	timeout.exe
PID 676 wrote to memory of 1152	676	cmd.exe	timeout.exe
PID 676 wrote to memory of 1152	676	cmd.exe	timeout.exe
PID 676 wrote to memory of 1152	676	cmd.exe	timeout.exe
PID 676 wrote to memory of 512	676	cmd.exe	clientx.exe
PID 676 wrote to memory of 512	676	cmd.exe	clientx.exe
PID 676 wrote to memory of 512	676	cmd.exe	clientx.exe
PID 676 wrote to memory of 512	676	cmd.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe
PID 512 wrote to memory of 608	512	clientx.exe	clientx.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.9779.49.9585.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\Admin\AppData\Roaming\clientx.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\Admin\AppData\Roaming\clientx.exe"'
4⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9186.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1152

C:\Users\Admin\AppData\Roaming\clientx.exe
"C:\Users\Admin\AppData\Roaming\clientx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Roaming\clientx.exe
"C:\Users\Admin\AppData\Roaming\clientx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9186.tmp.bat
MD5
6120247b26f7cc024a9380c4afb94aa3

SHA1
bf77f77c0a60e82bdad4be020615c086cb9a1172

SHA256
14adc5c4d242d9350619077a7bcb16f3394710c0f9089fdc08ccbba4a3b7743b

SHA512
0be5a029dca841b1cd9a61cd7b8c61bae47d47e4d0076a18ef06c454c40fe51abb5498b2e0729d24d8be2a2d609e7fbc8613e5dc31024d887c5c1ce593466194

Download Submit
C:\Users\Admin\AppData\Roaming\clientx.exe
MD5
73e662d533f7469a086abb6ec7de6c94

SHA1
86d13d647c3f810adccb2d4633ecbe7aee5be66a

SHA256
0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c

SHA512
37bd9d553945f77789d6005962b07891f3b4328207f8cc311be200595043f0a1f0f9b295e4dadb7ecadce2eabf15bfbc940ca0145ead9f65eb14a589eb7e8960

Download Submit
C:\Users\Admin\AppData\Roaming\clientx.exe
MD5
73e662d533f7469a086abb6ec7de6c94

SHA1
86d13d647c3f810adccb2d4633ecbe7aee5be66a

SHA256
0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c

SHA512
37bd9d553945f77789d6005962b07891f3b4328207f8cc311be200595043f0a1f0f9b295e4dadb7ecadce2eabf15bfbc940ca0145ead9f65eb14a589eb7e8960

Download Submit
C:\Users\Admin\AppData\Roaming\clientx.exe
MD5
73e662d533f7469a086abb6ec7de6c94

SHA1
86d13d647c3f810adccb2d4633ecbe7aee5be66a

SHA256
0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c

SHA512
37bd9d553945f77789d6005962b07891f3b4328207f8cc311be200595043f0a1f0f9b295e4dadb7ecadce2eabf15bfbc940ca0145ead9f65eb14a589eb7e8960

Download Submit
\Users\Admin\AppData\Roaming\clientx.exe
MD5
73e662d533f7469a086abb6ec7de6c94

SHA1
86d13d647c3f810adccb2d4633ecbe7aee5be66a

SHA256
0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c

SHA512
37bd9d553945f77789d6005962b07891f3b4328207f8cc311be200595043f0a1f0f9b295e4dadb7ecadce2eabf15bfbc940ca0145ead9f65eb14a589eb7e8960

Download Submit
memory/384-7-0x00000000007A0000-0x00000000007CF000-memory.dmp

Filesize
188KB

Download
memory/384-9-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/384-3-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/384-2-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/384-8-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/384-5-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/512-24-0x0000000000000000-mapping.dmp

Download
memory/512-26-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/512-27-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/512-29-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/608-38-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/608-35-0x000000000040C75E-mapping.dmp

Download
memory/608-37-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/608-41-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/632-17-0x0000000000000000-mapping.dmp

Download
memory/676-18-0x0000000000000000-mapping.dmp

Download
memory/756-11-0x000000000040C75E-mapping.dmp

Download
memory/756-16-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/756-15-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/756-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/756-12-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/756-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/808-20-0x0000000000000000-mapping.dmp

Download
memory/1152-21-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads