asyncrat | 23d93c68272aeb310cf1e718267062fb16a7dadbfd5d2434b118e9b8c5312297

General

Target

23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe
Size

45KB
MD5

00cb1026ca0e5f814a7ca37df134f81b
SHA1

4a6c819149fa1b431b09140570a686e6c8b9ab04
SHA256

23d93c68272aeb310cf1e718267062fb16a7dadbfd5d2434b118e9b8c5312297
SHA512

8e650b824d1eb89716291d39f0e934adbeed2a194bc2e3df1e663188974b7ce89a8384fac44f6141e504f6f2561693e1ce6e9c64916330a9f4deeb5bf3db1213
SSDEEP

768:xuiGNTdFHLBWUZiGrmo2qrjO5QyJ4PiNjPISzjbwgX3iADaw6nvwe7iT+BDZ6u:xuiGNTdBR2IO52iKS3b3XSA8Ld6u

Score

10^/10

asyncrat grizzly <3 rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Grizzly <3

Mutex

AsyncMutex_6SI4OuKn4

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/wQ58VtE3

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1108-54-0x0000000000F30000-0x0000000000F42000-memory.dmp	asyncrat
behavioral1/files/0x000a0000000122fb-61.dat	asyncrat
behavioral1/files/0x000a0000000122fb-62.dat	asyncrat
behavioral1/files/0x000a0000000122fb-64.dat	asyncrat
behavioral1/memory/776-65-0x0000000000850000-0x0000000000862000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
776	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1012	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
636	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1336	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe
Token: SeDebugPrivilege	776	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2016	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	28
PID 1108 wrote to memory of 2016	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	28
PID 1108 wrote to memory of 2016	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	28
PID 1108 wrote to memory of 2016	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	28
PID 1108 wrote to memory of 1012	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	30
PID 1108 wrote to memory of 1012	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	30
PID 1108 wrote to memory of 1012	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	30
PID 1108 wrote to memory of 1012	1108	23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe	30
PID 2016 wrote to memory of 636	2016	cmd.exe	32
PID 2016 wrote to memory of 636	2016	cmd.exe	32
PID 2016 wrote to memory of 636	2016	cmd.exe	32
PID 2016 wrote to memory of 636	2016	cmd.exe	32
PID 1012 wrote to memory of 1336	1012	cmd.exe	33
PID 1012 wrote to memory of 1336	1012	cmd.exe	33
PID 1012 wrote to memory of 1336	1012	cmd.exe	33
PID 1012 wrote to memory of 1336	1012	cmd.exe	33
PID 1012 wrote to memory of 776	1012	cmd.exe	34
PID 1012 wrote to memory of 776	1012	cmd.exe	34
PID 1012 wrote to memory of 776	1012	cmd.exe	34
PID 1012 wrote to memory of 776	1012	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe
"C:\Users\Admin\AppData\Local\Temp\23D93C68272AEB310CF1E718267062FB16A7DADBFD5D2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3525.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1336
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3525.tmp.bat

Filesize
151B

MD5
5ded3f57b5b2b1d34c13949d0ba4f487

SHA1
8e765344c976caacd277d8d45528e5b3307271a4

SHA256
016cfb2da364df3090a08d84b7f0ed14e75b341ec058766583af8e0d56337bcd

SHA512
2b160c71ef9f94f6082745da25fa31a80210ccf4f0835381e86cd285fdbaad543ce158905313a0bf86bb5fe3789e1ead95ca029542963e413e11f6c5d8d9f285

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
45KB

MD5
00cb1026ca0e5f814a7ca37df134f81b

SHA1
4a6c819149fa1b431b09140570a686e6c8b9ab04

SHA256
23d93c68272aeb310cf1e718267062fb16a7dadbfd5d2434b118e9b8c5312297

SHA512
8e650b824d1eb89716291d39f0e934adbeed2a194bc2e3df1e663188974b7ce89a8384fac44f6141e504f6f2561693e1ce6e9c64916330a9f4deeb5bf3db1213

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
45KB

MD5
00cb1026ca0e5f814a7ca37df134f81b

SHA1
4a6c819149fa1b431b09140570a686e6c8b9ab04

SHA256
23d93c68272aeb310cf1e718267062fb16a7dadbfd5d2434b118e9b8c5312297

SHA512
8e650b824d1eb89716291d39f0e934adbeed2a194bc2e3df1e663188974b7ce89a8384fac44f6141e504f6f2561693e1ce6e9c64916330a9f4deeb5bf3db1213

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
45KB

MD5
00cb1026ca0e5f814a7ca37df134f81b

SHA1
4a6c819149fa1b431b09140570a686e6c8b9ab04

SHA256
23d93c68272aeb310cf1e718267062fb16a7dadbfd5d2434b118e9b8c5312297

SHA512
8e650b824d1eb89716291d39f0e934adbeed2a194bc2e3df1e663188974b7ce89a8384fac44f6141e504f6f2561693e1ce6e9c64916330a9f4deeb5bf3db1213

Download Submit
memory/776-65-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/776-67-0x0000000005430000-0x00000000054AE000-memory.dmp

Filesize
504KB

Download
memory/776-68-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/776-69-0x0000000006340000-0x00000000063D0000-memory.dmp

Filesize
576KB

Download
memory/776-70-0x0000000006280000-0x00000000062E0000-memory.dmp

Filesize
384KB

Download
memory/1108-54-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/1108-55-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads