asyncrat | 880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9

General

Target

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Size

903KB
MD5

8e68370433ab06b8e88bdf181e8a3145
SHA1

c77534b6c2e810dfd3e04d483cf67aa130884df9
SHA256

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9
SHA512

50da06632b350a59a5aa34e6870f954f320895f2202e4f0abfb0b6e9ffe347456fac173791f84f419608298798228ba35433a5e2883b13fff2f1055d86cc3bff

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

peacelist.ignorelist.com:7707

peacelist.ignorelist.com:8808

peacelist.ignorelist.com:5505

Mutex

FTPgbnffd

Attributes

anti_vm
false
bsod
false
delay
10
install
true
install_file
shost.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3748-138-0x0000000000340000-0x0000000000396000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

shost.exe

pid process

3836 shost.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3836	shost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

description	pid	process	target process
PID 3484 set thread context of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2556 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2884 timeout.exe

pid	process
2556	schtasks.exe

pid	process
2884	timeout.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exeshost.exe

pid	process
3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
3836	shost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exeshost.exe

description	pid	process
Token: SeDebugPrivilege	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Token: SeDebugPrivilege	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Token: SeDebugPrivilege	3836	shost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.execmd.exe

description	pid	process	target process
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3484 wrote to memory of 3748	3484	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 3748 wrote to memory of 2556	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 3748 wrote to memory of 2556	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 3748 wrote to memory of 2556	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 3748 wrote to memory of 316	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 3748 wrote to memory of 316	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 3748 wrote to memory of 316	3748	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 316 wrote to memory of 2884	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 2884	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 2884	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 3836	316	cmd.exe	shost.exe
PID 316 wrote to memory of 3836	316	cmd.exe	shost.exe
PID 316 wrote to memory of 3836	316	cmd.exe	shost.exe

C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
"C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
"C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'shost"' /tr "'C:\Users\Admin\AppData\Roaming\shost.exe"'
3⤵
- Creates scheduled task(s)
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA934.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2884

C:\Users\Admin\AppData\Roaming\shost.exe
"C:\Users\Admin\AppData\Roaming\shost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 12c00b47644813dded43b10b8244c301 HFtARDn67Eq0BQlFwRe/tg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe.log
MD5
46c36fe03f74406f6b117679977cf69c

SHA1
c6edbbc26cd21b55688a879e2f1cf972cce7199d

SHA256
dd0b9f20c54c2bd272cda714b16126c07c202e88a350316dc39d8e1cb906f0d2

SHA512
77aba3f48da4fc6e3914928936f28e41054563d77277ad237885bcee75b09ec6e448dde14123ca0f2915d4d1bf291967032fdb62072723d9d8fd59a6d713089e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA934.tmp.bat
MD5
83a09c6f5d6a81e25940f253069e53e0

SHA1
87a309ebe4b0e6668f2e49836fb5cb946d7904d5

SHA256
8c2d9889f2d3dd2920093a6b8ac96b2481d7cacbbee02dc0d4dfe50ef04ed52d

SHA512
2451c41f0d8b70dcb10449b2a36219aee4b2f3d893629e29a5ba54510c1fe502a3b025d8c75ffe2638b9ad1fd2f9ff03c7dabf82c32c868728ec86d1fb80c6cb

Download Submit
C:\Users\Admin\AppData\Roaming\shost.exe
MD5
0bd76bd9111a8e75530e978972d9779e

SHA1
d8a9a9106e41f730bb3ceef66fdf7d766e78be5e

SHA256
4917c14ec80d19297bf157278256da5cd1146aaddc9dbfdc5b3874fe5b09a188

SHA512
eb780ccedbb68320b357f4f8962c240f130aa0b74c78a0511a1a10d1f54841fdaed569808064156b28c409f2a4bb38e5089ad4913667fa08046c3ebebe944080

Download Submit
C:\Users\Admin\AppData\Roaming\shost.exe
MD5
0bd76bd9111a8e75530e978972d9779e

SHA1
d8a9a9106e41f730bb3ceef66fdf7d766e78be5e

SHA256
4917c14ec80d19297bf157278256da5cd1146aaddc9dbfdc5b3874fe5b09a188

SHA512
eb780ccedbb68320b357f4f8962c240f130aa0b74c78a0511a1a10d1f54841fdaed569808064156b28c409f2a4bb38e5089ad4913667fa08046c3ebebe944080

Download Submit
memory/3484-134-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/3484-135-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/3484-136-0x0000000006570000-0x00000000065B4000-memory.dmp

Filesize
272KB

Download
memory/3484-130-0x0000000000520000-0x0000000000608000-memory.dmp

Filesize
928KB

Download
memory/3484-133-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/3484-132-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/3484-131-0x0000000004F30000-0x0000000004F52000-memory.dmp

Filesize
136KB

Download
memory/3748-138-0x0000000000340000-0x0000000000396000-memory.dmp

Filesize
344KB

Download
memory/3748-139-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3748-140-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/3836-149-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3836-150-0x0000000005641000-0x0000000005642000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads