asyncrat | 561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

General

Target

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
Size

45KB
MD5

708b15fe967de91ec55bfc6fdd54433b
SHA1

7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904
SHA256

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2
SHA512

e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8574

lowkeyjust.ddns.net:6606

lowkeyjust.ddns.net:7707

lowkeyjust.ddns.net:8808

lowkeyjust.ddns.net:8574

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
12
install
true
install_file
SteamStartupService.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3796-130-0x00000000002D0000-0x00000000002E2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe	asyncrat
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

SteamStartupService.exe

pid process

4004 SteamStartupService.exe

pid	process
4004	SteamStartupService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

384 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3556 timeout.exe

pid	process
384	schtasks.exe

pid	process
3556	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

pid	process
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exeSteamStartupService.exe

description	pid	process
Token: SeDebugPrivilege	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
Token: SeDebugPrivilege	4004	SteamStartupService.exe
Token: SeDebugPrivilege	4004	SteamStartupService.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.execmd.execmd.exe

description	pid	process	target process
PID 3796 wrote to memory of 4228	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 3796 wrote to memory of 4228	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 3796 wrote to memory of 4228	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 3796 wrote to memory of 4724	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 3796 wrote to memory of 4724	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 3796 wrote to memory of 4724	3796	561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe	cmd.exe
PID 4724 wrote to memory of 3556	4724	cmd.exe	timeout.exe
PID 4724 wrote to memory of 3556	4724	cmd.exe	timeout.exe
PID 4724 wrote to memory of 3556	4724	cmd.exe	timeout.exe
PID 4228 wrote to memory of 384	4228	cmd.exe	schtasks.exe
PID 4228 wrote to memory of 384	4228	cmd.exe	schtasks.exe
PID 4228 wrote to memory of 384	4228	cmd.exe	schtasks.exe
PID 4724 wrote to memory of 4004	4724	cmd.exe	SteamStartupService.exe
PID 4724 wrote to memory of 4004	4724	cmd.exe	SteamStartupService.exe
PID 4724 wrote to memory of 4004	4724	cmd.exe	SteamStartupService.exe

C:\Users\Admin\AppData\Local\Temp\561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe
"C:\Users\Admin\AppData\Local\Temp\561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamStartupService" /tr '"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SteamStartupService" /tr '"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"'
3⤵
- Creates scheduled task(s)
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BE2.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3556

C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
"C:\Users\Admin\AppData\Roaming\SteamStartupService.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2BE2.tmp.bat
Filesize
163B

MD5
ba813e200c5a1f591e96c4abf8381739

SHA1
55811a8a033bc31794b882f2ac7e596f196af7c5

SHA256
ef431ff7719df6f1f45fff75254eafa127f5aa895fdc1d0e09d26eccd9709782

SHA512
c9aa3f566f2dcc44ff3b7881043eee3c45b2ff5efa999be9306a56d133032faa1514c1a04dc171e7f82de45ee425a8e0c13d04ebe2615962f957448bbb1d7dc9

Download Submit
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
Filesize
45KB

MD5
708b15fe967de91ec55bfc6fdd54433b

SHA1
7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904

SHA256
561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

SHA512
e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Download Submit
C:\Users\Admin\AppData\Roaming\SteamStartupService.exe
Filesize
45KB

MD5
708b15fe967de91ec55bfc6fdd54433b

SHA1
7ce54db6b7a46e78a1fa78b9588c78e1ca2bc904

SHA256
561d4930d5ff9d53ffbee68d2554f89ed3b32968ee29b2520ce1f60c5a0d4ff2

SHA512
e84b7003094dc40eb025fe44175571d3665dc00d844c574db97f48aceb8cfd2af5bedaf58ffb66d97e694fb6bf5b9e15d07221a115e113f2e467dd3bfd043c2f

Download Submit
memory/384-137-0x0000000000000000-mapping.dmp

Download
memory/3556-136-0x0000000000000000-mapping.dmp

Download
memory/3796-130-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/3796-131-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/3796-132-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download
memory/4228-133-0x0000000000000000-mapping.dmp

Download
memory/4724-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads