asyncrat | 3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqatyavkpcidpvwiialfnbdpawluusrm.exe
Size

63KB
MD5

dae21c538a7a4f8294d7e19916be9100
SHA1

cea1c44030c6f45243a9408e59f8e43304402438
SHA256

3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4
SHA512

8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26
SSDEEP

1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

Score

10^/10

asyncrat bitrat redline cheat new discovery infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

bitrat

Version

1.38

nicehash.at:6000

Attributes

communication_password
005f16f264f006578c55237781f36898
install_dir
JavaHelper
install_file
Java.exe
tor_process
tor

Extracted

Family

redline

Botnet

cheat

nicehash.at:1338

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ec-87.dat	family_redline
behavioral1/files/0x000b0000000122ec-89.dat	family_redline
behavioral1/memory/1956-92-0x0000000001070000-0x000000000108E000-memory.dmp	family_redline
behavioral1/memory/664-98-0x00000000003E0000-0x00000000003EA000-memory.dmp	family_redline

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1044-54-0x0000000000A80000-0x0000000000A96000-memory.dmp	asyncrat
behavioral1/files/0x000b0000000122f1-61.dat	asyncrat
behavioral1/files/0x000b0000000122f1-62.dat	asyncrat
behavioral1/memory/564-63-0x0000000001180000-0x0000000001196000-memory.dmp	asyncrat
behavioral1/memory/564-64-0x0000000000450000-0x0000000000470000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

pid	Process
564	GoogleDriver.exe
664	bit.exe
1956	rdln.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000012353-73.dat	upx
behavioral1/files/0x000e000000012353-75.dat	upx
behavioral1/memory/664-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/664-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Local\\JavaHelper\\Java.exe"	bit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
664	bit.exe
664	bit.exe
664	bit.exe
664	bit.exe
664	bit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1440	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
628	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe
564	GoogleDriver.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1516	powershell.exe
564	GoogleDriver.exe
1516	powershell.exe
1516	powershell.exe
1956	rdln.exe
1956	rdln.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe
Token: SeDebugPrivilege	564	GoogleDriver.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	664	bit.exe
Token: SeShutdownPrivilege	664	bit.exe
Token: SeDebugPrivilege	1956	rdln.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
664	bit.exe
664	bit.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1960	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	27
PID 1044 wrote to memory of 1960	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	27
PID 1044 wrote to memory of 1960	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	27
PID 1960 wrote to memory of 1440	1960	cmd.exe	29
PID 1960 wrote to memory of 1440	1960	cmd.exe	29
PID 1960 wrote to memory of 1440	1960	cmd.exe	29
PID 1044 wrote to memory of 916	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	30
PID 1044 wrote to memory of 916	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	30
PID 1044 wrote to memory of 916	1044	sqatyavkpcidpvwiialfnbdpawluusrm.exe	30
PID 916 wrote to memory of 628	916	cmd.exe	32
PID 916 wrote to memory of 628	916	cmd.exe	32
PID 916 wrote to memory of 628	916	cmd.exe	32
PID 916 wrote to memory of 564	916	cmd.exe	33
PID 916 wrote to memory of 564	916	cmd.exe	33
PID 916 wrote to memory of 564	916	cmd.exe	33
PID 564 wrote to memory of 580	564	GoogleDriver.exe	35
PID 564 wrote to memory of 580	564	GoogleDriver.exe	35
PID 564 wrote to memory of 580	564	GoogleDriver.exe	35
PID 580 wrote to memory of 1784	580	cmd.exe	37
PID 580 wrote to memory of 1784	580	cmd.exe	37
PID 580 wrote to memory of 1784	580	cmd.exe	37
PID 1784 wrote to memory of 664	1784	powershell.exe	38
PID 1784 wrote to memory of 664	1784	powershell.exe	38
PID 1784 wrote to memory of 664	1784	powershell.exe	38
PID 1784 wrote to memory of 664	1784	powershell.exe	38
PID 564 wrote to memory of 1636	564	GoogleDriver.exe	39
PID 564 wrote to memory of 1636	564	GoogleDriver.exe	39
PID 564 wrote to memory of 1636	564	GoogleDriver.exe	39
PID 1636 wrote to memory of 1516	1636	cmd.exe	41
PID 1636 wrote to memory of 1516	1636	cmd.exe	41
PID 1636 wrote to memory of 1516	1636	cmd.exe	41
PID 1516 wrote to memory of 1956	1516	powershell.exe	42
PID 1516 wrote to memory of 1956	1516	powershell.exe	42
PID 1516 wrote to memory of 1956	1516	powershell.exe	42
PID 1516 wrote to memory of 1956	1516	powershell.exe	42

C:\Users\Admin\AppData\Local\Temp\sqatyavkpcidpvwiialfnbdpawluusrm.exe
"C:\Users\Admin\AppData\Local\Temp\sqatyavkpcidpvwiialfnbdpawluusrm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1440
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1E2.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:628
- - C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
    "C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bit.exe"'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\bit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bit.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\rdln.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rdln.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\bit.exe

Filesize
1.4MB

MD5
32d4216d4ef2af912921fc2931c0bd88

SHA1
3e79dd260b67ed27134246e9461d8878c7ac73e3

SHA256
d1ecf0f3592c06329182cbcd25fa654bb48c441c0b54bfb5c4b40fbaa517cdbf

SHA512
7a25bcf3954238ab946ce95dc4153518fe67e773845f2bd037eac64c93906223b3ec611a04160cc20f85c4afa0b7124c8eacb43667ecb3fdde2776698f5b2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe

Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1E2.tmp.bat

Filesize
156B

MD5
7c30bd76ff8f80c9f7d39a8031546554

SHA1
00145c79f5c91b100d64315be7956b6930d9131b

SHA256
ea466c3ba65ded64b96265c65c3fbb0d283c123cf546a9d0e830347252fd8929

SHA512
17c9dcf55605415577316b939467b934bb9d2f661ef2dee2a220add73490d5c946d2c4820d2e3c0fabfb417eedf809f43b6375cda7cb42d656db36f3b0fdeec0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe

Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
167fbf9af32219578d221fa3b80db5c1

SHA1
229b321bb0596d3e17780ab06aaa464afea4ce29

SHA256
1d22b8a7b8212850489b06d5794b69437f180b216c6efb91380a8755479decce

SHA512
6f72240a476f1fd407acc4b8df15aa9267b02a37350a92267b0fd1606f1b1efc494573cc87f7f12e78e6e837735f4fb0658742818859e01bb15828a6850f9a39

Download Submit
memory/564-63-0x0000000001180000-0x0000000001196000-memory.dmp

Filesize
88KB

Download
memory/564-64-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/664-78-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/664-98-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/664-97-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/664-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/664-94-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/664-93-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/664-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1044-54-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/1516-90-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1516-86-0x0000000002304000-0x0000000002307000-memory.dmp

Filesize
12KB

Download
memory/1516-91-0x000000000230B000-0x000000000232A000-memory.dmp

Filesize
124KB

Download
memory/1516-84-0x000007FEEB9E0000-0x000007FEEC403000-memory.dmp

Filesize
10.1MB

Download
memory/1516-85-0x000007FEEAE80000-0x000007FEEB9DD000-memory.dmp

Filesize
11.4MB

Download
memory/1784-76-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1784-77-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1784-70-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1784-68-0x000007FEEC380000-0x000007FEECDA3000-memory.dmp

Filesize
10.1MB

Download
memory/1784-71-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1784-69-0x000007FEEB820000-0x000007FEEC37D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-67-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1784-72-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1956-92-0x0000000001070000-0x000000000108E000-memory.dmp

Filesize
120KB

Download