asyncrat | db91a1f06b3434c3f86c3df429e05e39d988bc929f9c7762c4f3215a2d56fe5a

General

Target

24629f46db685706bb7b29e1a34892c4.exe
Size

82KB
MD5

24629f46db685706bb7b29e1a34892c4
SHA1

27943a8694e714b4d1c0a2ce13613ca3597fc629
SHA256

db91a1f06b3434c3f86c3df429e05e39d988bc929f9c7762c4f3215a2d56fe5a
SHA512

8da06698eabaa7f043737374bc560e9aaf59688900bb1763661ac16dfb54b9602227bd5a4796c97837c27dda4ded3c48bb7b7ed3d6cce703b573c4c892e08a31
SSDEEP

1536:mCBJ3yLqdwJt6Gv3qON+eSZPCJJNrXH80+YvtzQ8Pg6Yf9SS:mCe+WuGv3qk+e5sL8o3f9b

Score

10^/10

asyncrat windows sheel host persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Windows Sheel Host

C2

20.111.19.215:3152

Mutex

Windows Sheel Host

Attributes

delay
3
install
false
install_file
Windows Sheel Host.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4660-163-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Sheel Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Sheel Host\\Windows Sheel Host.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Sheel Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Sheel Host\\Windows Sheel Host.exe"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

24629f46db685706bb7b29e1a34892c4.exeRegAsm.exe

description	pid	process	target process
PID 3260 set thread context of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 5040 set thread context of 4660	5040	RegAsm.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4056 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3836 powershell.exe
3836 powershell.exe
4956 powershell.exe
4956 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3836 powershell.exe
Token: SeDebugPrivilege 4956 powershell.exe
Token: SeDebugPrivilege 4660 RegAsm.exe

pid	process
4056	schtasks.exe

pid	process
3836	powershell.exe
3836	powershell.exe
4956	powershell.exe
4956	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4660	RegAsm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

24629f46db685706bb7b29e1a34892c4.execmd.exeRegAsm.exe

description	pid	process	target process
PID 3260 wrote to memory of 3836	3260	24629f46db685706bb7b29e1a34892c4.exe	powershell.exe
PID 3260 wrote to memory of 3836	3260	24629f46db685706bb7b29e1a34892c4.exe	powershell.exe
PID 3260 wrote to memory of 3836	3260	24629f46db685706bb7b29e1a34892c4.exe	powershell.exe
PID 3260 wrote to memory of 3168	3260	24629f46db685706bb7b29e1a34892c4.exe	cmd.exe
PID 3260 wrote to memory of 3168	3260	24629f46db685706bb7b29e1a34892c4.exe	cmd.exe
PID 3260 wrote to memory of 3168	3260	24629f46db685706bb7b29e1a34892c4.exe	cmd.exe
PID 3168 wrote to memory of 4056	3168	cmd.exe	schtasks.exe
PID 3168 wrote to memory of 4056	3168	cmd.exe	schtasks.exe
PID 3168 wrote to memory of 4056	3168	cmd.exe	schtasks.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 3260 wrote to memory of 5040	3260	24629f46db685706bb7b29e1a34892c4.exe	RegAsm.exe
PID 5040 wrote to memory of 4956	5040	RegAsm.exe	powershell.exe
PID 5040 wrote to memory of 4956	5040	RegAsm.exe	powershell.exe
PID 5040 wrote to memory of 4956	5040	RegAsm.exe	powershell.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe
PID 5040 wrote to memory of 4660	5040	RegAsm.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\24629f46db685706bb7b29e1a34892c4.exe
"C:\Users\Admin\AppData\Local\Temp\24629f46db685706bb7b29e1a34892c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Sheel Host';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Sheel Host' -Value '"C:\Users\Admin\AppData\Roaming\Windows Sheel Host\Windows Sheel Host.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \Windows Sheel Host /tr "C:\Users\Admin\AppData\Roaming\Windows Sheel Host\Windows Sheel Host.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Windows Sheel Host /tr "C:\Users\Admin\AppData\Roaming\Windows Sheel Host\Windows Sheel Host.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Sheel Host';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Sheel Host' -Value '"C:\Users\Admin\AppData\Roaming\Windows Sheel Host\Windows Sheel Host.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
a64b53b6459811feb879015ebf389484

SHA1
2a71995a04a2ee651b1f268a576d833173ea224a

SHA256
dae6c07b35d68c16df4e9041568cb5c661f15e216aea519b568e5e6ac409f583

SHA512
62e6c696315264b74cbacfc0cc37012ae343e0733a5154dfc7a41c21211d428835f9e6fd4f48a72f9dd120d5b40c16f1a0d884c5ddcfa10d757326b516875048

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Sheel Host\Windows Sheel Host.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/3168-135-0x0000000000000000-mapping.dmp

Download
memory/3260-132-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/3260-133-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3836-150-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/3836-154-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/3836-141-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/3836-134-0x0000000000000000-mapping.dmp

Download
memory/3836-144-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/3836-143-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/3836-137-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/3836-138-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/3836-147-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/3836-148-0x0000000006510000-0x0000000006542000-memory.dmp

Filesize
200KB

Download
memory/3836-149-0x0000000070A60000-0x0000000070AAC000-memory.dmp

Filesize
304KB

Download
memory/3836-158-0x0000000007580000-0x00000000075A2000-memory.dmp

Filesize
136KB

Download
memory/3836-151-0x0000000007870000-0x0000000007EEA000-memory.dmp

Filesize
6.5MB

Download
memory/3836-152-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/3836-153-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download
memory/3836-157-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/3836-155-0x0000000007450000-0x000000000745E000-memory.dmp

Filesize
56KB

Download
memory/3836-156-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/4056-136-0x0000000000000000-mapping.dmp

Download
memory/4660-162-0x0000000000000000-mapping.dmp

Download
memory/4660-163-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4660-167-0x0000000005ED0000-0x0000000005F6C000-memory.dmp

Filesize
624KB

Download
memory/4956-161-0x0000000000000000-mapping.dmp

Download
memory/5040-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-139-0x0000000000000000-mapping.dmp

Download
memory/5040-159-0x0000000005060000-0x000000000507E000-memory.dmp

Filesize
120KB

Download
memory/5040-146-0x0000000004FD0000-0x0000000005046000-memory.dmp

Filesize
472KB

Download
memory/5040-145-0x0000000002750000-0x000000000275A000-memory.dmp

Filesize
40KB

Download
memory/5040-142-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads