asyncrat | bb7e1270658ab3596ebf0a1a9131b6cee5e6eba57a4b7ed112a7a2993339c3ea

General

Target

SpyMax-4.0 Cracked+Activated_install.exe
Size

104.1MB
MD5

a7e39331cdf403335cf432aa36e3d3fc
SHA1

60d5af5f01457932b061ac6fff52bd9bcfc18634
SHA256

bb7e1270658ab3596ebf0a1a9131b6cee5e6eba57a4b7ed112a7a2993339c3ea
SHA512

7b4d127ee8294ab722aa4604690bd74715069d2557fc7c70740b1d26bd32a593ef8bf5dbcaee7cd5f182e2ba1577c808615b377db98b2c83d706c04df1514ea1
SSDEEP

1572864:pUKdbtOBERw2YgkKrqSdNHpzeW4MDL908tVzYJajtOBERw6TTLjU2j+GJWvR/uTo:rd15kk4NQ908t24JvUwIo8Skd

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

verynice.ddns.net:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
WindowsDefender.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\New folder\Stub.exe	asyncrat
C:\Users\Admin\New folder\Stub.exe	asyncrat
behavioral1/memory/3608-138-0x0000000000720000-0x0000000000736000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe	asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exeStub.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	SpyMax-4.0 Cracked+Activated_install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ExtraStub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Stub.exe

Executes dropped EXE 3 IoCs

Processes:

ExtraStub.exeStub.exeWindowsDefender.exe

pid process

4268 ExtraStub.exe
3608 Stub.exe
2148 WindowsDefender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2980 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3172 timeout.exe

pid	process
4268	ExtraStub.exe
3608	Stub.exe
2148	WindowsDefender.exe

pid	process
2980	schtasks.exe

pid	process
3172	timeout.exe

Modifies registry class 2 IoCs

Processes:

SpyMax-4.0 Cracked+Activated_install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SpyMax-4.0 Cracked+Activated_install.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SpyMax-4.0 Cracked+Activated_install.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Stub.exe

pid	process
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe
3608	Stub.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SpyMax-4.0 Cracked+Activated_install.exe

pid process

8 SpyMax-4.0 Cracked+Activated_install.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Stub.exe

description pid process

Token: SeDebugPrivilege 3608 Stub.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exe

pid process

8 SpyMax-4.0 Cracked+Activated_install.exe
8 SpyMax-4.0 Cracked+Activated_install.exe
4268 ExtraStub.exe

pid	process
8	SpyMax-4.0 Cracked+Activated_install.exe

description	pid	process
Token: SeDebugPrivilege	3608	Stub.exe

pid	process
8	SpyMax-4.0 Cracked+Activated_install.exe
8	SpyMax-4.0 Cracked+Activated_install.exe
4268	ExtraStub.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SpyMax-4.0 Cracked+Activated_install.exeExtraStub.exeStub.execmd.execmd.exe

description	pid	process	target process
PID 8 wrote to memory of 4268	8	SpyMax-4.0 Cracked+Activated_install.exe	ExtraStub.exe
PID 8 wrote to memory of 4268	8	SpyMax-4.0 Cracked+Activated_install.exe	ExtraStub.exe
PID 8 wrote to memory of 4268	8	SpyMax-4.0 Cracked+Activated_install.exe	ExtraStub.exe
PID 8 wrote to memory of 3608	8	SpyMax-4.0 Cracked+Activated_install.exe	Stub.exe
PID 8 wrote to memory of 3608	8	SpyMax-4.0 Cracked+Activated_install.exe	Stub.exe
PID 4268 wrote to memory of 4424	4268	ExtraStub.exe	cmd.exe
PID 4268 wrote to memory of 4424	4268	ExtraStub.exe	cmd.exe
PID 4268 wrote to memory of 4424	4268	ExtraStub.exe	cmd.exe
PID 3608 wrote to memory of 2612	3608	Stub.exe	cmd.exe
PID 3608 wrote to memory of 2612	3608	Stub.exe	cmd.exe
PID 3608 wrote to memory of 4112	3608	Stub.exe	cmd.exe
PID 3608 wrote to memory of 4112	3608	Stub.exe	cmd.exe
PID 2612 wrote to memory of 2980	2612	cmd.exe	schtasks.exe
PID 2612 wrote to memory of 2980	2612	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 3172	4112	cmd.exe	timeout.exe
PID 4112 wrote to memory of 3172	4112	cmd.exe	timeout.exe
PID 4112 wrote to memory of 2148	4112	cmd.exe	WindowsDefender.exe
PID 4112 wrote to memory of 2148	4112	cmd.exe	WindowsDefender.exe

C:\Users\Admin\AppData\Local\Temp\SpyMax-4.0 Cracked+Activated_install.exe
"C:\Users\Admin\AppData\Local\Temp\SpyMax-4.0 Cracked+Activated_install.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\New folder\ExtraStub.exe
"C:\Users\Admin\New folder\ExtraStub.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
3⤵
PID:4424

C:\Users\Admin\New folder\Stub.exe
"C:\Users\Admin\New folder\Stub.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"'
4⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3172

C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
4⤵
- Executes dropped EXE
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
Filesize
63KB

MD5
1a76515d1722564375589437a45eba34

SHA1
6046e4ecda7cbf012205878fa0ca39902e17cd52

SHA256
e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f

SHA512
c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat
Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EA6.tmp.bat
Filesize
162B

MD5
f1a800c0eb511c23a6f9f99b016f153c

SHA1
93bb7882ffc29b039581b897a590100423c1d5ea

SHA256
ff3135b658a44ae112d26afeb27be6229a0079f43b1ab83c752ec31152b96a7e

SHA512
ac9e4c6756be77ab5006eb1d3992d8e5587310765a22c644581c9965cbc320892700b56aaf4fce4d0dc317e82c68857db4179bc29b944064673121a95bd3eb55

Download Submit
C:\Users\Admin\New folder\ExtraStub.exe
Filesize
72KB

MD5
4e8656ace67c352adcc43d4236dfc890

SHA1
f6a905a6a36663441cc825009e468db49df47209

SHA256
926f8b84335a7642f566d2f716b3a7494416a34da4b5f408849a0a26bc344290

SHA512
f9aa75a41736888f635f0ca06b79e6a0c7b85923dc89322d59aaea3fd89d356d9caacb42b2421f85a68733d0b00fe0ebc21530017d3bc6674cddae850cc8e82c

Download Submit
C:\Users\Admin\New folder\ExtraStub.exe
Filesize
72KB

MD5
4e8656ace67c352adcc43d4236dfc890

SHA1
f6a905a6a36663441cc825009e468db49df47209

SHA256
926f8b84335a7642f566d2f716b3a7494416a34da4b5f408849a0a26bc344290

SHA512
f9aa75a41736888f635f0ca06b79e6a0c7b85923dc89322d59aaea3fd89d356d9caacb42b2421f85a68733d0b00fe0ebc21530017d3bc6674cddae850cc8e82c

Download Submit
C:\Users\Admin\New folder\Stub.exe
Filesize
63KB

MD5
1a76515d1722564375589437a45eba34

SHA1
6046e4ecda7cbf012205878fa0ca39902e17cd52

SHA256
e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f

SHA512
c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081

Download Submit
C:\Users\Admin\New folder\Stub.exe
Filesize
63KB

MD5
1a76515d1722564375589437a45eba34

SHA1
6046e4ecda7cbf012205878fa0ca39902e17cd52

SHA256
e0556c4f5cd6277ea078e58833224683b08242f0fda81cff8055ac45e8517c8f

SHA512
c34c4e7d9b73ed3a25606f454d8f327f53ba2fff4ddc3e26208d8072b16a6d46deaef99a3f511ea68d09a197b57e2166122421e1ea4f412d49d6fd03e2277081

Download Submit
memory/2148-149-0x0000000000000000-mapping.dmp

Download
memory/2612-143-0x0000000000000000-mapping.dmp

Download
memory/2980-147-0x0000000000000000-mapping.dmp

Download
memory/3172-148-0x0000000000000000-mapping.dmp

Download
memory/3608-138-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/3608-142-0x00007FF82DF70000-0x00007FF82EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3608-145-0x00007FF82DF70000-0x00007FF82EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3608-135-0x0000000000000000-mapping.dmp

Download
memory/4112-144-0x0000000000000000-mapping.dmp

Download
memory/4268-132-0x0000000000000000-mapping.dmp

Download
memory/4424-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads