asyncrat | 08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7

Resubmissions

07-02-2022 00:34

220207-aw81qsdce2 10

Analysis

max time kernel
147s
max time network
185s
platform
windows7_x64
resource
win7-en-20211208
submitted
07-02-2022 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BattleText.exe
Size

79KB
MD5

ac98d5e7f59a9feb167f01c6749baccb
SHA1

80be262b88d22230ebd7a44e03ddd810092fdfb5
SHA256

c7e4b8b9ded5df50dc1b2b8e6af95cb6cfb310c20be19c879c48a83371b345da
SHA512

6ff2a6713691b097ccd678f6275624ed88561aa4458a3d5e2b9bfece60d4cfccdf0c4a88aba0728569126648c1a93972c45807ae077c60203f1eee63f5bca368

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

shortcut2021.duckdns.org:6001

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral15/memory/1240-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral15/memory/1240-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral15/memory/1240-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral15/memory/1240-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BattleText.exe	BattleText.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BattleText.exe	BattleText.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1240	2040	BattleText.exe	29

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	BattleText.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	BattleText.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	BattleText.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe
2040	BattleText.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	BattleText.exe
Token: SeDebugPrivilege	1240	BattleText.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29
PID 2040 wrote to memory of 1240	2040	BattleText.exe	29

C:\Users\Admin\AppData\Local\Temp\BattleText.exe
"C:\Users\Admin\AppData\Local\Temp\BattleText.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\BattleText.exe
  "C:\Users\Admin\AppData\Local\Temp\BattleText.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-67-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2040-57-0x0000000000480000-0x00000000004C6000-memory.dmp

Filesize
280KB

Download
memory/2040-58-0x0000000000C00000-0x0000000000C28000-memory.dmp

Filesize
160KB

Download
memory/2040-59-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2040-55-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/2040-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download