asyncrat | bada7e61229d4c6bba936e8b163034b3421680c1f4ebbc69160fc96fc5bdb8ca

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
22-01-2022 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af1e6b53fc3e4679bedd29c25e057b10.exe
Size

3.9MB
MD5

af1e6b53fc3e4679bedd29c25e057b10
SHA1

f5a82edb61a2a0c896406b4cc48c9d1bd5bb082e
SHA256

bada7e61229d4c6bba936e8b163034b3421680c1f4ebbc69160fc96fc5bdb8ca
SHA512

009298300cb8e631c2d28f34268900d8015fe8bbd2e7c21f5eda320a76debea6057a8207d5b30c193f6a182064c4bafeca98ec502a713de70969040191fdedc6

Score

10^/10

asyncrat persistence rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

s1995.ddns.net:5000

Mutex

umgxmwaynloootia

Attributes

anti_vm
false
bsod
false
delay
5
install
true
install_file
zwindows.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/460-80-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

update.exewindows.exe9999.exerevil.exezwindows.exe

pid process

460 update.exe
1120 windows.exe
1196 9999.exe
1936 revil.exe
1372 zwindows.exe
Loads dropped DLL 5 IoCs

Processes:

af1e6b53fc3e4679bedd29c25e057b10.exewindows.exe9999.execmd.exe

pid process

1724 af1e6b53fc3e4679bedd29c25e057b10.exe
1724 af1e6b53fc3e4679bedd29c25e057b10.exe
1120 windows.exe
1196 9999.exe
1592 cmd.exe

pid	process
460	update.exe
1120	windows.exe
1196	9999.exe
1936	revil.exe
1372	zwindows.exe

pid	process
1724	af1e6b53fc3e4679bedd29c25e057b10.exe
1724	af1e6b53fc3e4679bedd29c25e057b10.exe
1120	windows.exe
1196	9999.exe
1592	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

af1e6b53fc3e4679bedd29c25e057b10.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Roaming\\start.exe"	af1e6b53fc3e4679bedd29c25e057b10.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1604 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

756 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9999.exeupdate.exe

pid process

1196 9999.exe
460 update.exe
460 update.exe
460 update.exe

pid	process
1604	schtasks.exe

pid	process
756	timeout.exe

pid	process
1196	9999.exe
460	update.exe
460	update.exe
460	update.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

af1e6b53fc3e4679bedd29c25e057b10.exeupdate.exewindows.exe9999.exerevil.exezwindows.exe

description	pid	process
Token: SeDebugPrivilege	1724	af1e6b53fc3e4679bedd29c25e057b10.exe
Token: SeDebugPrivilege	460	update.exe
Token: SeDebugPrivilege	1120	windows.exe
Token: SeDebugPrivilege	1196	9999.exe
Token: SeDebugPrivilege	1936	revil.exe
Token: SeDebugPrivilege	1372	zwindows.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

af1e6b53fc3e4679bedd29c25e057b10.exewindows.exe9999.exeupdate.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 460	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	update.exe
PID 1724 wrote to memory of 1120	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	windows.exe
PID 1724 wrote to memory of 1120	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	windows.exe
PID 1724 wrote to memory of 1120	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	windows.exe
PID 1724 wrote to memory of 1120	1724	af1e6b53fc3e4679bedd29c25e057b10.exe	windows.exe
PID 1120 wrote to memory of 1196	1120	windows.exe	9999.exe
PID 1120 wrote to memory of 1196	1120	windows.exe	9999.exe
PID 1120 wrote to memory of 1196	1120	windows.exe	9999.exe
PID 1120 wrote to memory of 1196	1120	windows.exe	9999.exe
PID 1196 wrote to memory of 1936	1196	9999.exe	revil.exe
PID 1196 wrote to memory of 1936	1196	9999.exe	revil.exe
PID 1196 wrote to memory of 1936	1196	9999.exe	revil.exe
PID 1196 wrote to memory of 1936	1196	9999.exe	revil.exe
PID 460 wrote to memory of 1604	460	update.exe	schtasks.exe
PID 460 wrote to memory of 1604	460	update.exe	schtasks.exe
PID 460 wrote to memory of 1604	460	update.exe	schtasks.exe
PID 460 wrote to memory of 1604	460	update.exe	schtasks.exe
PID 460 wrote to memory of 1592	460	update.exe	cmd.exe
PID 460 wrote to memory of 1592	460	update.exe	cmd.exe
PID 460 wrote to memory of 1592	460	update.exe	cmd.exe
PID 460 wrote to memory of 1592	460	update.exe	cmd.exe
PID 1592 wrote to memory of 756	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 756	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 756	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 756	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe
PID 1592 wrote to memory of 1372	1592	cmd.exe	zwindows.exe

C:\Users\Admin\AppData\Local\Temp\af1e6b53fc3e4679bedd29c25e057b10.exe
"C:\Users\Admin\AppData\Local\Temp\af1e6b53fc3e4679bedd29c25e057b10.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\update.exe
"C:\Users\Admin\AppData\Roaming\update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'zwindows"' /tr "'C:\Users\Admin\AppData\Roaming\zwindows.exe"'
3⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:756

C:\Users\Admin\AppData\Roaming\zwindows.exe
"C:\Users\Admin\AppData\Roaming\zwindows.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\9999.exe
"C:\Users\Admin\AppData\Roaming\9999.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\revil.exe
"C:\Users\Admin\AppData\Roaming\revil.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.bat
MD5
39c3579a0e9a09774df92bb00a20a9c3

SHA1
9fd8c82be906df1ae46d1b259efa746377b4a662

SHA256
94ead1a1ca483b4626123ac734db6a957744b3508a29aa96d7e6795791e4d482

SHA512
195146e4584f887cd84fef97bb2203221526419bfbaf07c46db417e39f6d551a514865b5afdfe23435b9a3daa4a849ae7d8fb2aa0ed5ee1dcbc08ecf67d04bf6

Download Submit
C:\Users\Admin\AppData\Roaming\9999.exe
MD5
ebb19834df87672faa601f9ba028ce93

SHA1
88dd3c1315142463c822e8282b12486f7798dab8

SHA256
2c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7

SHA512
faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4

Download Submit
C:\Users\Admin\AppData\Roaming\9999.exe
MD5
ebb19834df87672faa601f9ba028ce93

SHA1
88dd3c1315142463c822e8282b12486f7798dab8

SHA256
2c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7

SHA512
faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4

Download Submit
C:\Users\Admin\AppData\Roaming\madehaelsayed.txt
MD5
a4aaf61a4d83fe1c7b9c639c83132b03

SHA1
fcc8e0d244d13d893205217fb880fd153744ef61

SHA256
113e563d9f44253127b0d976720a41505069f0b99b7b440acffeaa9b4f65e7c2

SHA512
49dc010fade7d57f7089ef7bcd895733d2438f7ef5ba72dae4c5498b7a352fa8eb38310972c00b3ec7e6b5a7f01f2186343d85239e10150b050c9b3d8fd9fe00

Download Submit
C:\Users\Admin\AppData\Roaming\revil.exe
MD5
3efe8bf4690a1aa786f215b875cbdc20

SHA1
b413f210a1b2dc7ff07835a64aafe3e62f998edf

SHA256
c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2

SHA512
9dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa

Download Submit
C:\Users\Admin\AppData\Roaming\revil.exe
MD5
3efe8bf4690a1aa786f215b875cbdc20

SHA1
b413f210a1b2dc7ff07835a64aafe3e62f998edf

SHA256
c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2

SHA512
9dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
MD5
24703cff3b50738d47a104a1ff3ae134

SHA1
4fb3748a9d159c3d461bedf45fdcab8608689496

SHA256
12d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df

SHA512
b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
MD5
24703cff3b50738d47a104a1ff3ae134

SHA1
4fb3748a9d159c3d461bedf45fdcab8608689496

SHA256
12d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df

SHA512
b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
ad7b94042d70d42312e57a3ee7d70f0c

SHA1
e01f0557eeb93adca680972d07cb80e29acf96fb

SHA256
0b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca

SHA512
0d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
ad7b94042d70d42312e57a3ee7d70f0c

SHA1
e01f0557eeb93adca680972d07cb80e29acf96fb

SHA256
0b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca

SHA512
0d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb

Download Submit
C:\Users\Admin\AppData\Roaming\zwindows.exe
MD5
5f780ef995f3e352dc9d38c54b220948

SHA1
94219069ca5be9a6560e2b45f66bec96f61d421b

SHA256
062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4

SHA512
b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7

Download Submit
C:\Users\Admin\AppData\Roaming\zwindows.exe
MD5
5f780ef995f3e352dc9d38c54b220948

SHA1
94219069ca5be9a6560e2b45f66bec96f61d421b

SHA256
062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4

SHA512
b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7

Download Submit
\Users\Admin\AppData\Roaming\9999.exe
MD5
ebb19834df87672faa601f9ba028ce93

SHA1
88dd3c1315142463c822e8282b12486f7798dab8

SHA256
2c218163bfb3d1d40ac321918d6dda8a4270954799fd37cdddd987ad209e72f7

SHA512
faec54d5fc59324be5f82f067ef1695a36ff72bf1a9dee8c5449cceb05725adcee045a76a3a6fd7a902dc9b2c39fcc8ba3775342ddc63d74fd179db4a5c8c8b4

Download Submit
\Users\Admin\AppData\Roaming\revil.exe
MD5
3efe8bf4690a1aa786f215b875cbdc20

SHA1
b413f210a1b2dc7ff07835a64aafe3e62f998edf

SHA256
c67f969c38991ffb634b8b8e21fa71ea39accf1fd92bd0cc9f2bda8daae3dcc2

SHA512
9dfec0495a8b7def8321fe81553822f6caa665044fa6b0ebac0ed62922644c40afd20b285d20654e01e2b965b79fa5f4cc8425d201d14ac9ce4c5007c7d059fa

Download Submit
\Users\Admin\AppData\Roaming\update.exe
MD5
24703cff3b50738d47a104a1ff3ae134

SHA1
4fb3748a9d159c3d461bedf45fdcab8608689496

SHA256
12d49c4521a453f6ecc3744123ce41aa2455e39806588840b553c8944dfc09df

SHA512
b9e4b7d53f9b2cfb008924da1a68870cc0978e8cf1b1ddf2b275f151a14a922b0c1f362b87dc73c7ddf4b4b3253fb201154d5db2c4711ba675a95a0d6e15c25f

Download Submit
\Users\Admin\AppData\Roaming\windows.exe
MD5
ad7b94042d70d42312e57a3ee7d70f0c

SHA1
e01f0557eeb93adca680972d07cb80e29acf96fb

SHA256
0b3f8e6123cea09fc7849e684777cb4afdf3814e1e96ad918b4b9fd0e78598ca

SHA512
0d5a6ed49df80ba1c6123315721f394ed93d07467fca0e741bcde9162bcad768b946c928ba022ec63a7771d7419d595f51204e281ff2811bb25544ee454f52bb

Download Submit
\Users\Admin\AppData\Roaming\zwindows.exe
MD5
5f780ef995f3e352dc9d38c54b220948

SHA1
94219069ca5be9a6560e2b45f66bec96f61d421b

SHA256
062095c7f4fe2b80de006e149ccb02315abcbb626d00a76cb2713706c7e2dee4

SHA512
b7b20118a757dbe49e410aa76009ec54f87b9d9adaefe38389994924b3986b0fcede2bc1c78024384218a06db92afc97ad0b5f9bb2b1d4bbb42ba583875178d7

Download Submit
memory/460-61-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/460-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/460-68-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1120-69-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1120-65-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1196-73-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/1196-75-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1372-89-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/1372-92-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1724-55-0x0000000000C40000-0x0000000000C58000-memory.dmp

Filesize
96KB

Download
memory/1724-57-0x00000000021C0000-0x00000000042D0000-memory.dmp

Filesize
33.1MB

Download
memory/1724-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1936-82-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/1936-83-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1936-84-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1936-79-0x0000000001160000-0x0000000001174000-memory.dmp

Filesize
80KB

Download