asyncrat | 1bc7d9dbd8555114b3d8f986db3e1ae440b0b0142d08c9c91330fab940718cc5

General

Target

oDEEOpxV4qBlrgj.exe
Size

621KB
MD5

45f42e17dd7229140a940f3346ddf3a9
SHA1

dbf51050b80bd2932bfed81fc867495bbd856ca6
SHA256

785ebeb84c2bc65d0b0a55691f18631c110531b132f60535b8462684d2492b81
SHA512

3a1c2a3ee5382c61759e1a2664f2871eb49c567de6dec8ad70e797d4698f7950ec78eb567aba3ad286723bae926856509e880777d4165a75cc2463fcb4fbc7ef
SSDEEP

12288:NeHlPTZh6q6/TKPzG7rjkKzG9DP+ogIGdjPETxpj:NeHllY/TKPzG7+B+TIOjPWxF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/388-150-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oDEEOpxV4qBlrgj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	oDEEOpxV4qBlrgj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

oDEEOpxV4qBlrgj.exe

description pid process target process

PID 4664 set thread context of 388 4664 oDEEOpxV4qBlrgj.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4912 schtasks.exe

description	pid	process	target process
PID 4664 set thread context of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe

pid	process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

oDEEOpxV4qBlrgj.exepowershell.exepowershell.exe

pid	process
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4980	powershell.exe
3360	powershell.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4664	oDEEOpxV4qBlrgj.exe
4980	powershell.exe
4664	oDEEOpxV4qBlrgj.exe
3360	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

oDEEOpxV4qBlrgj.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4664	oDEEOpxV4qBlrgj.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	388	RegSvcs.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

oDEEOpxV4qBlrgj.exe

description	pid	process	target process
PID 4664 wrote to memory of 4980	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 4980	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 4980	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 3360	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 3360	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 3360	4664	oDEEOpxV4qBlrgj.exe	powershell.exe
PID 4664 wrote to memory of 4912	4664	oDEEOpxV4qBlrgj.exe	schtasks.exe
PID 4664 wrote to memory of 4912	4664	oDEEOpxV4qBlrgj.exe	schtasks.exe
PID 4664 wrote to memory of 4912	4664	oDEEOpxV4qBlrgj.exe	schtasks.exe
PID 4664 wrote to memory of 2760	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 2760	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 2760	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 1084	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 1084	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 1084	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 3420	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 3420	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 3420	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe
PID 4664 wrote to memory of 388	4664	oDEEOpxV4qBlrgj.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\oDEEOpxV4qBlrgj.exe
"C:\Users\Admin\AppData\Local\Temp\oDEEOpxV4qBlrgj.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\oDEEOpxV4qBlrgj.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rTYeHpkLYAzXn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rTYeHpkLYAzXn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BF0.tmp"
2⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3693397868b86a5c4b2a4ac90d52278a

SHA1
19027f5879c069ea8edfc50ecb4701d7ba90112b

SHA256
d8c3640fea6ef90df67db030e10af0ffcee07312d8f25779c1b47e41feb77e10

SHA512
4e21b989f9427955e6d35cd7ac0a7eeb2e763157fd4f1c1824e2cf50b88f4cb4f466cbb701ba1d374a3de49b0113f9d9b992932bbb191c932262192b7811ef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BF0.tmp
Filesize
1KB

MD5
07d755feffe3c6bb4594d57d73e1dac1

SHA1
9fe49ef8be691462c55146cd47d88f39429269fe

SHA256
7a49cab4bace55ba44a7a6ca7a2ae4a6cfe5333a11cb884596c76a4d33fd38a4

SHA512
dbf6fa9959a0ba54cd0d77f60abb9c6358b12ee734bcf3c23af4c454eff27872d79e03bfbb5f01dc629963968934ab7d01afab0d9730c739edf6362db94b2b43

Download Submit
memory/388-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/388-149-0x0000000000000000-mapping.dmp

Download
memory/1084-147-0x0000000000000000-mapping.dmp

Download
memory/2760-146-0x0000000000000000-mapping.dmp

Download
memory/3360-161-0x0000000007050000-0x000000000706A000-memory.dmp

Filesize
104KB

Download
memory/3360-138-0x0000000000000000-mapping.dmp

Download
memory/3360-152-0x0000000005F60000-0x0000000005F92000-memory.dmp

Filesize
200KB

Download
memory/3360-154-0x0000000075C40000-0x0000000075C8C000-memory.dmp

Filesize
304KB

Download
memory/3360-157-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/3360-158-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/3360-144-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/3420-148-0x0000000000000000-mapping.dmp

Download
memory/4664-135-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/4664-134-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/4664-136-0x00000000089F0000-0x0000000008A8C000-memory.dmp

Filesize
624KB

Download
memory/4664-132-0x0000000000010000-0x00000000000B2000-memory.dmp

Filesize
648KB

Download
memory/4664-133-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/4912-139-0x0000000000000000-mapping.dmp

Download
memory/4980-140-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/4980-153-0x0000000075C40000-0x0000000075C8C000-memory.dmp

Filesize
304KB

Download
memory/4980-155-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/4980-156-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/4980-151-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4980-145-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/4980-159-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/4980-160-0x0000000007860000-0x000000000786E000-memory.dmp

Filesize
56KB

Download
memory/4980-143-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

Filesize
136KB

Download
memory/4980-162-0x0000000007950000-0x0000000007958000-memory.dmp

Filesize
32KB

Download
memory/4980-141-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/4980-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads