asyncrat | 51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228

General

Target

51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
Size

411KB
MD5

d879fac9c6581b1c2760b883402cc494
SHA1

0769ec09dad81a27a50589563eba1b0c3b236335
SHA256

51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228
SHA512

3407f8f23ff8afd486a218284bfa4cb84edc2109aead0c6cce424df7cae36c6012b1f96088dc044065451d1f2926b0fea3bec39e5a04cbebd8e55fdb9bacc615

Score

10^/10

asyncrat metastealer default rat stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

213.226.119.28:6606

213.226.119.28:7707

213.226.119.28:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3496-133-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2988	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4204	schtasks.exe
4088	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3752	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe
3496	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
Token: SeDebugPrivilege	3496	MSBuild.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4204	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	87
PID 4504 wrote to memory of 4204	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	87
PID 4504 wrote to memory of 4204	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	87
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 4504 wrote to memory of 3496	4504	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	89
PID 3496 wrote to memory of 2204	3496	MSBuild.exe	95
PID 3496 wrote to memory of 2204	3496	MSBuild.exe	95
PID 3496 wrote to memory of 2204	3496	MSBuild.exe	95
PID 3496 wrote to memory of 1820	3496	MSBuild.exe	97
PID 3496 wrote to memory of 1820	3496	MSBuild.exe	97
PID 3496 wrote to memory of 1820	3496	MSBuild.exe	97
PID 2204 wrote to memory of 4088	2204	cmd.exe	99
PID 2204 wrote to memory of 4088	2204	cmd.exe	99
PID 2204 wrote to memory of 4088	2204	cmd.exe	99
PID 1820 wrote to memory of 3752	1820	cmd.exe	100
PID 1820 wrote to memory of 3752	1820	cmd.exe	100
PID 1820 wrote to memory of 3752	1820	cmd.exe	100
PID 1820 wrote to memory of 2988	1820	cmd.exe	101
PID 1820 wrote to memory of 2988	1820	cmd.exe	101
PID 1820 wrote to memory of 2988	1820	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
"C:\Users\Admin\AppData\Local\Temp\51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jLkXBYtNmvdDpa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB77.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3752
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.bat

Filesize
151B

MD5
96fb8c6328bab4f6c598c80f5af75322

SHA1
f00c199da4279cd6e3205172208b9213943c47ab

SHA256
b0d2ee1a4139b44585cb67419db68fef5b87bb6932e06938a42b0778bc9efb3f

SHA512
d2e917b93c36f661e1743b3eedfe6942fdf66737e7bd54b15b24d4a012a7a1b8dae0ce283117f6ed5dad10cc4be6f4e1300cc324f67dc4fa616662cea1ba2b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB77.tmp

Filesize
1KB

MD5
f4d659e7e9083fc8a2dbc8ce8565b9e5

SHA1
c376ae0e26343bb7ca49bc381020d6fc7573f826

SHA256
da4c853fea3514b94a7943e9f0e440d2570dc4f159dc833fe4aded0296c9cf50

SHA512
c4734a560f9864ae9af9183348eff61c881a0eecc0d1c3b09d9c6f24f35c4164ec0abba622d7276be3a981e6dcd55bed82986257877092ccb5ee38528a1f2dbb

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/2988-142-0x0000000000A90000-0x0000000000AD0000-memory.dmp

Filesize
256KB

Download
memory/2988-144-0x0000000005B60000-0x0000000005CBA000-memory.dmp

Filesize
1.4MB

Download
memory/2988-143-0x0000000005740000-0x000000000575A000-memory.dmp

Filesize
104KB

Download
memory/3496-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4504-129-0x0000000007660000-0x00000000076FC000-memory.dmp

Filesize
624KB

Download
memory/4504-126-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/4504-125-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/4504-124-0x0000000000500000-0x000000000056C000-memory.dmp

Filesize
432KB

Download
memory/4504-127-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/4504-128-0x0000000007720000-0x0000000007C4C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads