asyncrat | 561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

General

Target

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
Size

45KB
MD5

708b15fe967de91ec55bfc6fdd54433b
SHA1

7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904
SHA256

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2
SHA512

e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8574

lowkeyjust.ddns.net:6606

lowkeyjust.ddns.net:7707

lowkeyjust.ddns.net:8808

lowkeyjust.ddns.net:8574

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
12
install
true
install_file
SteamStartupService.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1424-54-0x0000000000D30000-0x0000000000D42000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\SteamStartupService.exe	asyncrat
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe	asyncrat
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe	asyncrat
behavioral1/memory/1252-65-0x0000000000F40000-0x0000000000F52000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

SteamStartupService.exe

pid process

1252 SteamStartupService.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

884 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1544 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

964 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

pid process

1424 561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

pid	process
1252	SteamStartupService.exe

pid	process
884	cmd.exe

pid	process
1544	schtasks.exe

pid	process
964	timeout.exe

pid	process
1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exeSteamStartupService.exe

description	pid	process
Token: SeDebugPrivilege	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
Token: SeDebugPrivilege	1252	SteamStartupService.exe
Token: SeDebugPrivilege	1252	SteamStartupService.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.execmd.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 268	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 268	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 268	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 268	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 884	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 884	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 884	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 1424 wrote to memory of 884	1424	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 268 wrote to memory of 1544	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 1544	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 1544	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 1544	268	cmd.exe	schtasks.exe
PID 884 wrote to memory of 964	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 964	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 964	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 964	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 1252	884	cmd.exe	SteamStartupService.exe
PID 884 wrote to memory of 1252	884	cmd.exe	SteamStartupService.exe
PID 884 wrote to memory of 1252	884	cmd.exe	SteamStartupService.exe
PID 884 wrote to memory of 1252	884	cmd.exe	SteamStartupService.exe

C:\Users\Admin\AppData\Local\Temp\561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
"C:\Users\Admin\AppData\Local\Temp\561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamStartupService" /tr '"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SteamStartupService" /tr '"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"'
3⤵
- Creates scheduled task(s)
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:964

C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp.bat
Filesize
163B

MD5
404dfb6eb50448b03e366e07af139021

SHA1
23b2bd873e264d8402a71cd0e302b444430c68b3

SHA256
b4bd60596106f5861cb97877f7f535cbcfd20a162388b23de24c11d47970007b

SHA512
f4aee119d296083e7b07ac2c52e8388beb145a4a79debe218161999289da7a36c9a86928e7518328465d3f50529451ff6510e7507fe4b07e69ee5982fca9fe80

Download Submit
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
Filesize
45KB

MD5
708b15fe967de91ec55bfc6fdd54433b

SHA1
7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904

SHA256
561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

SHA512
e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Download Submit
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
Filesize
45KB

MD5
708b15fe967de91ec55bfc6fdd54433b

SHA1
7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904

SHA256
561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

SHA512
e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Download Submit
\Users\Admin\AppData\Roaming\SteamStartupService.exe
Filesize
45KB

MD5
708b15fe967de91ec55bfc6fdd54433b

SHA1
7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904

SHA256
561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

SHA512
e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Download Submit
memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/884-57-0x0000000000000000-mapping.dmp

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/1252-63-0x0000000000000000-mapping.dmp

Download
memory/1252-65-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/1424-54-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/1424-55-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1544-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads