asyncrat | hxxp://13[.]78[.]209[.]105/D/Servers/AsyncClient[.]exe

General

Target

http://13.78.209.105/D/Servers/AsyncClient.exe

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

asyncmoney.duckdns.org:7829

asyncmoney.duckdns.org:7840

asyncmoney.duckdns.org:7841

asyncmoney.duckdns.org:7842

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe.201hpex.partial	asyncrat
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe	asyncrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

AsyncClient.exe

pid process

212 AsyncClient.exe

pid	process
212	AsyncClient.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 0a705db740c1d701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342223403"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000bddc0c1995a751077adddbbe6866692f423b59d28df86f96cb982169b47c2157000000000e800000000200002000000033a3534523b44f1f92e28aa28f5b11df0a622a216959d9c17a115f3c16fca2ca2000000096ee633c5779de5753ed51bda9ff2dcae71c72399e054bfa8c9bedb092c800e9400000000cf24072d687e33b6fe0f1e42fe16f401d0e787181991a1aa572e46a2c011620a16add3e7c88e433d58b8b7e44b0dbc3850c9a35272339f343678a2d4e08c98b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb0000000002000000000010660000000100002000000073c6ce745ebbea79ae8bde5cbb1f3d94a74d24ae605a7da0555b71fa0060f5e9000000000e800000000200002000000004994bd4c7f1686534639a5a8d64db8e77d8a7672915251bfb485f8f78d0d7bc2000000037d738aa062257fa01447eb3d6e451e135d4d869c3504eb508bc01e8b32e3d884000000075fc2aa588f189e56956e7e1fca80e765124a24cfde4f000709d8820ea667eff693d2781a2094f5f685c4df4bcad95bc2eed43cc4231e17116e124dc37927149	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30abff4b47ccd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5D26835-3AA6-11EC-B8A2-5A5AAA0A9D65} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342271989"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "342239998"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{087CA9F5-D273-44D2-B203-4EAA4488C531}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9085d94b47ccd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AsyncClient.exe

description pid process

Token: SeDebugPrivilege 212 AsyncClient.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3704 iexplore.exe
3704 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3704 iexplore.exe
3704 iexplore.exe
1328 IEXPLORE.EXE
1328 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	212	AsyncClient.exe

pid	process
3704	iexplore.exe
3704	iexplore.exe

pid	process
3704	iexplore.exe
3704	iexplore.exe
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3704 wrote to memory of 1328	3704	iexplore.exe	IEXPLORE.EXE
PID 3704 wrote to memory of 1328	3704	iexplore.exe	IEXPLORE.EXE
PID 3704 wrote to memory of 1328	3704	iexplore.exe	IEXPLORE.EXE
PID 3704 wrote to memory of 212	3704	iexplore.exe	AsyncClient.exe
PID 3704 wrote to memory of 212	3704	iexplore.exe	AsyncClient.exe
PID 3704 wrote to memory of 212	3704	iexplore.exe	AsyncClient.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://13.78.209.105/D/Servers/AsyncClient.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3704 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe
MD5
d4b8b8cfd3b479a8138cd750c58a7c82

SHA1
b96aa9a15e4076786b16edfef4b3a92d289a3cad

SHA256
1490f6303a675ded86c22841f87868c6f0867e922671e0426f499e46a72060d2

SHA512
388654ac3e7c550b1a350efab96d8c9f30450a02edfa3d91a902e915a4bdaee26d628ed2cd3f6dfbb9601ccf0a2feb0b06f098562ae384e88abbb3a05b9d1978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\AsyncClient.exe.201hpex.partial
MD5
d4b8b8cfd3b479a8138cd750c58a7c82

SHA1
b96aa9a15e4076786b16edfef4b3a92d289a3cad

SHA256
1490f6303a675ded86c22841f87868c6f0867e922671e0426f499e46a72060d2

SHA512
388654ac3e7c550b1a350efab96d8c9f30450a02edfa3d91a902e915a4bdaee26d628ed2cd3f6dfbb9601ccf0a2feb0b06f098562ae384e88abbb3a05b9d1978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IKIYKQBT.cookie
MD5
e9149884b4e1c02884cd08fc2b6580b3

SHA1
f0a48778045859e8ae8b3b4c68dee8b961dcea25

SHA256
a1edf83592d45fc388b2924c1f8e0f47ed0734a882b2aa06dbf172398c40b7cf

SHA512
13b3d93fd641cde16b7be6d44e2d55732fbaa58c390640bfd21c3cb93b92d0f0d8fad1ee58cc0eefbf9dacb1bdeeda01113951055cfb7beab83199aeb223617b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\R540XI2Z.cookie
MD5
59092e8746ec3035eb15e68cd49572df

SHA1
d752647cebeed6ae6e6ea91ac8545ff7362386c9

SHA256
cd2802d8785d6c8cf46abf91d48a924ef96d178c4308e79883049c7e2d36b65a

SHA512
950a357e107343c3d4324c53d6ba74820aca3c7d216599f75409e2a761bc634ee598ee02726d0de8f89f2ca75abbe21e1a71c80b075cff5681d6af52ed9c0d77

Download Submit
memory/212-199-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/212-195-0x0000000000000000-mapping.dmp

Download
memory/1328-140-0x0000000000000000-mapping.dmp

Download
memory/3704-142-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-149-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-125-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-127-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-128-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-129-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-131-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-132-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-134-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-135-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-136-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-137-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-138-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-123-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-141-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-115-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-144-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-145-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-147-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-124-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-150-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-151-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-155-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-156-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-157-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-163-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-164-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-165-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-166-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-167-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-168-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-172-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-174-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-122-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-121-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-120-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-119-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-117-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download
memory/3704-116-0x00007FFF23B50000-0x00007FFF23BBB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads