asyncrat | 8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7

Analysis

max time kernel
300s
max time network
297s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/03/2023, 22:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
Size

47KB
MD5

4df29d7678c4533be7a9ad05e4bf752a
SHA1

c6ee50bf6f5a8525e73b8394e6646de4b56c0deb
SHA256

8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7
SHA512

52861a3bf99ad4be25003952b7802a6f47aea7b335321f2d041426edbfafd84d3f9ef971726214ffd43c737ff7360aa5e1fa595fc3cfbfef1761cb045ac21744
SSDEEP

768:aueq1TFBA3VWU1+fhcvmo2qjwU3dmPIwMbhEe0blghZx6Ue7sbKoRTG72BDZ8x:aueq1TFm92m3dPwM9SblghZ4s6Yd8x

Score

10^/10

asyncrat pi-004-a rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

PI-004-A

172.104.148.228:6606

fusioncore32023.hopto.org:6606

Mutex

fusioncore_was_here

Attributes

delay
3
install
true
install_file
WindowsSettingsHelper.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3032-120-0x00000000002E0000-0x00000000002F2000-memory.dmp	asyncrat
behavioral2/files/0x000500000001a560-130.dat	asyncrat
behavioral2/files/0x000500000001a560-131.dat	asyncrat
behavioral2/memory/1012-137-0x00000000068A0000-0x00000000068C2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1012	WindowsSettingsHelper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4696	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4904	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe
1012	WindowsSettingsHelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
Token: SeDebugPrivilege	1012	WindowsSettingsHelper.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4164	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	67
PID 3032 wrote to memory of 4164	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	67
PID 3032 wrote to memory of 4164	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	67
PID 3032 wrote to memory of 4228	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	69
PID 3032 wrote to memory of 4228	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	69
PID 3032 wrote to memory of 4228	3032	8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe	69
PID 4164 wrote to memory of 4696	4164	cmd.exe	71
PID 4164 wrote to memory of 4696	4164	cmd.exe	71
PID 4164 wrote to memory of 4696	4164	cmd.exe	71
PID 4228 wrote to memory of 4904	4228	cmd.exe	72
PID 4228 wrote to memory of 4904	4228	cmd.exe	72
PID 4228 wrote to memory of 4904	4228	cmd.exe	72
PID 4228 wrote to memory of 1012	4228	cmd.exe	73
PID 4228 wrote to memory of 1012	4228	cmd.exe	73
PID 4228 wrote to memory of 1012	4228	cmd.exe	73
PID 1012 wrote to memory of 4600	1012	WindowsSettingsHelper.exe	74
PID 1012 wrote to memory of 4600	1012	WindowsSettingsHelper.exe	74
PID 1012 wrote to memory of 4600	1012	WindowsSettingsHelper.exe	74
PID 4600 wrote to memory of 1384	4600	cmd.exe	76
PID 4600 wrote to memory of 1384	4600	cmd.exe	76
PID 4600 wrote to memory of 1384	4600	cmd.exe	76
PID 1012 wrote to memory of 1144	1012	WindowsSettingsHelper.exe	77
PID 1012 wrote to memory of 1144	1012	WindowsSettingsHelper.exe	77
PID 1012 wrote to memory of 1144	1012	WindowsSettingsHelper.exe	77
PID 1144 wrote to memory of 4660	1144	cmd.exe	79
PID 1144 wrote to memory of 4660	1144	cmd.exe	79
PID 1144 wrote to memory of 4660	1144	cmd.exe	79
PID 1012 wrote to memory of 3112	1012	WindowsSettingsHelper.exe	80
PID 1012 wrote to memory of 3112	1012	WindowsSettingsHelper.exe	80
PID 1012 wrote to memory of 3112	1012	WindowsSettingsHelper.exe	80
PID 3112 wrote to memory of 4516	3112	cmd.exe	82
PID 3112 wrote to memory of 4516	3112	cmd.exe	82
PID 3112 wrote to memory of 4516	3112	cmd.exe	82
PID 1012 wrote to memory of 4588	1012	WindowsSettingsHelper.exe	83
PID 1012 wrote to memory of 4588	1012	WindowsSettingsHelper.exe	83
PID 1012 wrote to memory of 4588	1012	WindowsSettingsHelper.exe	83
PID 4588 wrote to memory of 4560	4588	cmd.exe	85
PID 4588 wrote to memory of 4560	4588	cmd.exe	85
PID 4588 wrote to memory of 4560	4588	cmd.exe	85
PID 1012 wrote to memory of 4408	1012	WindowsSettingsHelper.exe	86
PID 1012 wrote to memory of 4408	1012	WindowsSettingsHelper.exe	86
PID 1012 wrote to memory of 4408	1012	WindowsSettingsHelper.exe	86
PID 4408 wrote to memory of 4440	4408	cmd.exe	88
PID 4408 wrote to memory of 4440	4408	cmd.exe	88
PID 4408 wrote to memory of 4440	4408	cmd.exe	88
PID 1012 wrote to memory of 3848	1012	WindowsSettingsHelper.exe	89
PID 1012 wrote to memory of 3848	1012	WindowsSettingsHelper.exe	89
PID 1012 wrote to memory of 3848	1012	WindowsSettingsHelper.exe	89
PID 3848 wrote to memory of 5028	3848	cmd.exe	91
PID 3848 wrote to memory of 5028	3848	cmd.exe	91
PID 3848 wrote to memory of 5028	3848	cmd.exe	91
PID 1012 wrote to memory of 4288	1012	WindowsSettingsHelper.exe	92
PID 1012 wrote to memory of 4288	1012	WindowsSettingsHelper.exe	92
PID 1012 wrote to memory of 4288	1012	WindowsSettingsHelper.exe	92
PID 4288 wrote to memory of 4916	4288	cmd.exe	94
PID 4288 wrote to memory of 4916	4288	cmd.exe	94
PID 4288 wrote to memory of 4916	4288	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe
"C:\Users\Admin\AppData\Local\Temp\8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSettingsHelper" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "WindowsSettingsHelper" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6EEB.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4904
- - C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe
    "C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qhbivr.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qhbivr.exe"'
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cxzbyd.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cxzbyd.exe"'
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qikcid.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qikcid.exe"'
        5⤵
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xrsgyl.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xrsgyl.exe"'
        5⤵
        
        PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ytjvkl.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ytjvkl.exe"'
        5⤵
        
        PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\piafax.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\piafax.exe"'
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iyphsh.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iyphsh.exe"'
        5⤵
        
        PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6EEB.tmp.bat

Filesize
165B

MD5
790b330d5accb71333348e7b3299c67a

SHA1
043b4724e5e19d1fa83d57b542d98fcb40a62898

SHA256
1593bce084a63c4d164d036f3b5f3699ba7073cc3d3c94c11b848390d80a151f

SHA512
9d4d2dcf7228c070bb2da173572f100f6d4577b5bf7e8af014335bc45d7f678b7b98dda94244b4b37873bfa16b2a1e4df252d1e10894ee8340a883e5b36b5c95

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe

Filesize
47KB

MD5
4df29d7678c4533be7a9ad05e4bf752a

SHA1
c6ee50bf6f5a8525e73b8394e6646de4b56c0deb

SHA256
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7

SHA512
52861a3bf99ad4be25003952b7802a6f47aea7b335321f2d041426edbfafd84d3f9ef971726214ffd43c737ff7360aa5e1fa595fc3cfbfef1761cb045ac21744

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSettingsHelper.exe

Filesize
47KB

MD5
4df29d7678c4533be7a9ad05e4bf752a

SHA1
c6ee50bf6f5a8525e73b8394e6646de4b56c0deb

SHA256
8dd5914e40b211d4ce4ec927bac083975e4e1910498bcbf45f1233a755c2f3a7

SHA512
52861a3bf99ad4be25003952b7802a6f47aea7b335321f2d041426edbfafd84d3f9ef971726214ffd43c737ff7360aa5e1fa595fc3cfbfef1761cb045ac21744

Download Submit
memory/1012-135-0x0000000006120000-0x000000000661E000-memory.dmp

Filesize
5.0MB

Download
memory/1012-137-0x00000000068A0000-0x00000000068C2000-memory.dmp

Filesize
136KB

Download
memory/1012-151-0x0000000006F40000-0x0000000006F8B000-memory.dmp

Filesize
300KB

Download
memory/1012-150-0x0000000006EE0000-0x0000000006F40000-memory.dmp

Filesize
384KB

Download
memory/1012-132-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1012-149-0x0000000006E50000-0x0000000006EE0000-memory.dmp

Filesize
576KB

Download
memory/1012-136-0x0000000006920000-0x0000000006996000-memory.dmp

Filesize
472KB

Download
memory/1012-148-0x0000000006720000-0x000000000672A000-memory.dmp

Filesize
40KB

Download
memory/1012-138-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/1012-140-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/1012-146-0x0000000006CA0000-0x0000000006D1E000-memory.dmp

Filesize
504KB

Download
memory/1012-147-0x00000000072B0000-0x0000000007600000-memory.dmp

Filesize
3.3MB

Download
memory/3032-123-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/3032-120-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/3032-121-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3032-122-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download