asyncrat | e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302

Analysis

max time kernel
149s
max time network
163s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Size

3.7MB
MD5

50f94e792afda30fe1c485c2d733ddae
SHA1

5acb6535b97021f32220fb4ec2c68bb3019ec55b
SHA256

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302
SHA512

2f5cdd6c589289e1e35cc50fc449c6419a81f724e65770d9bb2aca5f42472476a06de522e7a9f29d6e6dd52ff49fac355a058f9971ef3ee4b3c274ebd4de8834

Score

10^/10

asyncrat 2 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

Botnet

76.223.249.60:6606

76.223.249.60:7707

76.223.249.60:8808

Mutex

fscdeuqvqetgvzu

Attributes

delay
0
install
false
install_file
support.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\bAPSHbkkGXm778Nx\\fx3X8B2PSj7C.exe\",explorer.exe"	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/800-60-0x0000000000B60000-0x0000000000B72000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

VNYkuIlvKGBtGeDc.exeVNYkuIlvKGBtGeDc.exeVNYkuIlvKGBtGeDc.exe

pid process

2040 VNYkuIlvKGBtGeDc.exe
1152 VNYkuIlvKGBtGeDc.exe
824 VNYkuIlvKGBtGeDc.exe
Loads dropped DLL 3 IoCs

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeVNYkuIlvKGBtGeDc.exe

pid process

800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
2040 VNYkuIlvKGBtGeDc.exe
2040 VNYkuIlvKGBtGeDc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2040	VNYkuIlvKGBtGeDc.exe
1152	VNYkuIlvKGBtGeDc.exe
824	VNYkuIlvKGBtGeDc.exe

pid	process
800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
2040	VNYkuIlvKGBtGeDc.exe
2040	VNYkuIlvKGBtGeDc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VNYkuIlvKGBtGeDc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VNYkuIlvKGBtGeDc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VNYkuIlvKGBtGeDc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

VNYkuIlvKGBtGeDc.exe

pid process

1152 VNYkuIlvKGBtGeDc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

description pid process

Token: SeDebugPrivilege 800 e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

VNYkuIlvKGBtGeDc.exe

pid process

824 VNYkuIlvKGBtGeDc.exe
824 VNYkuIlvKGBtGeDc.exe
824 VNYkuIlvKGBtGeDc.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

VNYkuIlvKGBtGeDc.exe

pid process

824 VNYkuIlvKGBtGeDc.exe
824 VNYkuIlvKGBtGeDc.exe
824 VNYkuIlvKGBtGeDc.exe

pid	process
1152	VNYkuIlvKGBtGeDc.exe

description	pid	process
Token: SeDebugPrivilege	800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe

pid	process
824	VNYkuIlvKGBtGeDc.exe
824	VNYkuIlvKGBtGeDc.exe
824	VNYkuIlvKGBtGeDc.exe

pid	process
824	VNYkuIlvKGBtGeDc.exe
824	VNYkuIlvKGBtGeDc.exe
824	VNYkuIlvKGBtGeDc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exeVNYkuIlvKGBtGeDc.exe

description	pid	process	target process
PID 800 wrote to memory of 2040	800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	VNYkuIlvKGBtGeDc.exe
PID 800 wrote to memory of 2040	800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	VNYkuIlvKGBtGeDc.exe
PID 800 wrote to memory of 2040	800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	VNYkuIlvKGBtGeDc.exe
PID 800 wrote to memory of 2040	800	e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 1152	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 1152	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 1152	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 1152	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 824	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 824	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 824	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe
PID 2040 wrote to memory of 824	2040	VNYkuIlvKGBtGeDc.exe	VNYkuIlvKGBtGeDc.exe

C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe
"C:\Users\Admin\AppData\Local\Temp\e662022f03271901b4160d6787a742c1e8b8b24ec44686206fe8e6ed61714302.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe" --local-control
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824

C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
"C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe" --local-service
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
6KB

MD5
840cb8f482af6899d2dd1f47a30daced

SHA1
ae257b1f711ddaed65767c8104119b87b82f70ba

SHA256
344ee98353b41126066a38b77336c3bc90f5ac3c0d29d5e7fb24d74cbc24de7d

SHA512
9495f9b9c9116eee5fd8476dd9db9fec819acc5fbbc7f9660d6185b5e6d2a345ee53c2ca07fa69a2457fc2e639974c103e8c7f72d9b28c20f1edab2d2403db21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
6KB

MD5
840cb8f482af6899d2dd1f47a30daced

SHA1
ae257b1f711ddaed65767c8104119b87b82f70ba

SHA256
344ee98353b41126066a38b77336c3bc90f5ac3c0d29d5e7fb24d74cbc24de7d

SHA512
9495f9b9c9116eee5fd8476dd9db9fec819acc5fbbc7f9660d6185b5e6d2a345ee53c2ca07fa69a2457fc2e639974c103e8c7f72d9b28c20f1edab2d2403db21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
bb03b879b75cc71581e0c9713549cb98

SHA1
bb944264d6d960a8ac1fe02fc2b4c8bc76a87dd5

SHA256
70651079d983cabb773b3ce82182bc9e5e9ce7705470be0ef78c258e4467d746

SHA512
b685579a1bcf7911b35f087fe11635a30b9f5ea9d7fcdd065ccfeac8be2f9430a38c47df74a0d752b80278c9bd7ea402bdf4d7d76f59658ae9aeb7a35f511cb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
105B

MD5
b786276566641bcfc2dfd92890b4b99d

SHA1
9565e49c7c739a8bce54cd21818b51dc338512da

SHA256
a4da3c92f70d2d36878c8ea6cbde741373302046351477d745dcc29385c37520

SHA512
9e084c6eb838855b51cd686968c6f847ac53855fa32a861e2c49570bd11bae6239185b26ed33d1ba7e81679f0e79294847302115f646a208370356c5d11d761a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
113B

MD5
dd5ffa613237c96ea57da3c4e8281651

SHA1
b140b7bc9c0488858afd3935f628af84becce6f9

SHA256
5fce67844173db1b947617f14df4198b4593f8a68dbe540ecf645ea405ca33de

SHA512
3496c5c4221763ffb72bccb8a977aa778f314b9ed3bebd9b5a7efd6fc1410b436a12cc25e4df66d5c2f63d6715264c9343ac33485071c88d493c14bbf7c25cce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
\Users\Admin\AppData\Local\Temp\VNYkuIlvKGBtGeDc.exe
Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
memory/800-60-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/800-54-0x0000000001320000-0x00000000016D6000-memory.dmp

Filesize
3.7MB

Download
memory/800-56-0x0000000016110000-0x00000000164B2000-memory.dmp

Filesize
3.6MB

Download
memory/800-55-0x0000000004F45000-0x0000000004F56000-memory.dmp

Filesize
68KB

Download
memory/824-69-0x0000000000000000-mapping.dmp

Download
memory/824-76-0x0000000000900000-0x0000000001675000-memory.dmp

Filesize
13.5MB

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1152-73-0x0000000000900000-0x0000000001675000-memory.dmp

Filesize
13.5MB

Download
memory/2040-64-0x0000000000900000-0x0000000001675000-memory.dmp

Filesize
13.5MB

Download
memory/2040-62-0x0000000000900000-0x0000000001675000-memory.dmp

Filesize
13.5MB

Download
memory/2040-61-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download