asyncrat | 3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f

Analysis

max time kernel
48s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
Size

49.0MB
MD5

29dbcafd5b93edc917ec738221a4d62d
SHA1

5ef0337f89afaa36072a5bd9a670fdf7c9b7535a
SHA256

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f
SHA512

800c0efd66509a8fa0816c47f061faf6b01a23b673d98495d2a5412d500feda502f9d7fdfb63a8a05948032fed1b9b63744db9cc0db6c78a1aa97840fca0ed76
SSDEEP

1572864:lJFzuWZZPyH0G/bJafhqikT1M2cgY/Dx2F91jn:lPrZZPyH0mQgikT11cgY/DxG7

Score

10^/10

asyncrat coreentity discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

CoreEntity .NET Packer 6 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
\Program Files\Steam++\Steam++.exe	coreentity
\Program Files\Steam++\Steam++.exe	coreentity
\Program Files\Steam++\Steam++.exe	coreentity
\Program Files\Steam++\Steam++.exe	coreentity
C:\Program Files\Steam++\Steam++.exe	coreentity
C:\Program Files\Steam++\Steam++.exe	coreentity

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
\Program Files\Steam++\Steam++.exe	asyncrat
\Program Files\Steam++\Steam++.exe	asyncrat
\Program Files\Steam++\Steam++.exe	asyncrat
\Program Files\Steam++\Steam++.exe	asyncrat
C:\Program Files\Steam++\Steam++.exe	asyncrat
C:\Program Files\Steam++\Steam++.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Steam++.exe

pid process

296 Steam++.exe

pid	process
296	Steam++.exe

Loads dropped DLL 11 IoCs

Processes:

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

pid	process
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1236
1236
1236
1236

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 29 IoCs

Processes:

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

description	ioc	process
File created	C:\Program Files\Steam++\uninst.exe	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\Steam++.VisualElementsManifest.xml	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\aspnetcorev2_inprocess.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\libHarfBuzzSharp.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\libSkiaSharp.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\Steam++.exe	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\WinDivert.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\7z.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\WinDivert64.sys	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\7z.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\WinDivert.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\Assets\SteamPlusPlus.150x150.png	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\Assets\SteamPlusPlus.70x70.png	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\libHarfBuzzSharp.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\WinDivert64.sys	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\Steam++.VisualElementsManifest.xml	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\aspnetcorev2_inprocess.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\av_libglesv2.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\e_sqlite3.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\e_sqlite3.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\WebView2Loader.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\Steam++_win_x64_v2.8.5.7z	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\Steam++_win_x64_v2.8.5.7z	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\Assets\SteamPlusPlus.70x70.png	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\av_libglesv2.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\libSkiaSharp.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\Assets\SteamPlusPlus.150x150.png	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File opened for modification	C:\Program Files\Steam++\Steam++.exe	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
File created	C:\Program Files\Steam++\WebView2Loader.dll	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

pid	process
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Steam++.exe

description pid process

Token: SeDebugPrivilege 296 Steam++.exe

description	pid	process
Token: SeDebugPrivilege	296	Steam++.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe

description	pid	process	target process
PID 1360 wrote to memory of 296	1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe	Steam++.exe
PID 1360 wrote to memory of 296	1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe	Steam++.exe
PID 1360 wrote to memory of 296	1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe	Steam++.exe
PID 1360 wrote to memory of 296	1360	3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe	Steam++.exe

C:\Users\Admin\AppData\Local\Temp\3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe
"C:\Users\Admin\AppData\Local\Temp\3a8c396709d693d9a6056b74722088ceb5881b93765df71f7124b1756bb7e72f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360

C:\Program Files\Steam++\Steam++.exe
"C:\Program Files\Steam++\Steam++.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:296

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
C:\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
\Program Files\Steam++\Steam++.exe
Filesize
154.4MB

MD5
2e47e423e8d3566c6984f09cc8aa5868

SHA1
80d40b0cee6fe5210c21e045aea5b6f0b90977cc

SHA256
0c736d6ab33edce6fccba7ebf758c2f4201879aa86102205d62eeb8a7030aa4f

SHA512
5287faa54ce68fc88598b56af5730911bf8a6bcf49b5f419ece6e1c1ea94731b5e69433802d305e1e6297a80d41ef793a96f2506aab2e09d0a8b6758432c21e0

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\BgWorker.dll
Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\nsNiuniuSkin.dll
Filesize
982KB

MD5
149cfa10b1d18a65e2d0407d1a5930ea

SHA1
ba678e9857b405c434eacdbf1f322c75bd568db4

SHA256
548b7113ae115d936a790760a46c3a50ddbae6ddaf163e6510007d1c280a5488

SHA512
5b977dfb3ee61b5e65ceaf0f31b871b95129896862b17c9eb9690dd2d560830d2b16cb95ab729cf80a0c069a04052d43a0f9288756caf0958353346c05dc2c6b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\nsProcess.dll
Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFEDA.tmp\nsis7zU.dll
Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
memory/296-81-0x0000000002F50000-0x0000000002F8E000-memory.dmp

Filesize
248KB

Download
memory/296-96-0x00000000032E0000-0x0000000003386000-memory.dmp

Filesize
664KB

Download
memory/296-69-0x0000000180000000-0x0000000180A23000-memory.dmp

Filesize
10.1MB

Download
memory/296-72-0x0000000003030000-0x0000000003105000-memory.dmp

Filesize
852KB

Download
memory/296-75-0x0000000001D60000-0x0000000001D69000-memory.dmp

Filesize
36KB

Download
memory/296-78-0x0000000002F90000-0x0000000002FC4000-memory.dmp

Filesize
208KB

Download
memory/296-105-0x0000000002E00000-0x0000000002E25000-memory.dmp

Filesize
148KB

Download
memory/296-99-0x0000000003630000-0x000000000366C000-memory.dmp

Filesize
240KB

Download
memory/296-66-0x0000000000000000-mapping.dmp

Download
memory/296-93-0x0000000003210000-0x0000000003250000-memory.dmp

Filesize
256KB

Download
memory/296-90-0x0000000002FF0000-0x0000000003003000-memory.dmp

Filesize
76KB

Download
memory/296-87-0x0000000003250000-0x00000000032D3000-memory.dmp

Filesize
524KB

Download
memory/296-84-0x0000000003390000-0x0000000003547000-memory.dmp

Filesize
1.7MB

Download
memory/296-102-0x0000000002DC0000-0x0000000002DCD000-memory.dmp

Filesize
52KB

Download
memory/1360-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads