asyncrat | 044cacd5ac37289f51cb2560deec5d5eb2a299f37cc7632673fefc70196e5452

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2023, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Odeme.exe
Size

637KB
MD5

0747b82b235f4d06fc693569fac9ffbd
SHA1

d639f2c7345800ae12b6dea8655cdab16df64daf
SHA256

044cacd5ac37289f51cb2560deec5d5eb2a299f37cc7632673fefc70196e5452
SHA512

08a9ee3dbd779b8b4c689ddf54f9d57bfa68f61b18e80c8a2240a3feae5e0bf98603e68ecc55aee0d9da7efe909d09a306f5f69feb4e49668520eef7ecfab552
SSDEEP

12288:NcrNS33L10QdrXjcDn6gl1f6NWU6TvfXCT8NqRu0VWYQw6zx6TaFOo:wNA3R5drXoD60ZMNg3TuWYJ2x6/o

Score

10^/10

asyncrat mnock rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Mnock

mooroopecamroy.sytes.net:1452

mooroopecamroy.sytes.net:1432

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
crssi.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1816-162-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	fxgdxfg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Odeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	fxgdxfg.sfx.exe

Executes dropped EXE 5 IoCs

pid	Process
3732	fxgdxfg.sfx.exe
3692	fxgdxfg.exe
1816	fxgdxfg.exe
4564	crssi.exe
1508	crssi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 1816	3692	fxgdxfg.exe	95
PID 4564 set thread context of 1508	4564	crssi.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1976	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1016	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe
1816	fxgdxfg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	fxgdxfg.exe
Token: SeDebugPrivilege	1816	fxgdxfg.exe
Token: SeDebugPrivilege	4564	crssi.exe
Token: SeDebugPrivilege	1508	crssi.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4380	4676	Odeme.exe	89
PID 4676 wrote to memory of 4380	4676	Odeme.exe	89
PID 4676 wrote to memory of 4380	4676	Odeme.exe	89
PID 4380 wrote to memory of 3732	4380	cmd.exe	92
PID 4380 wrote to memory of 3732	4380	cmd.exe	92
PID 4380 wrote to memory of 3732	4380	cmd.exe	92
PID 3732 wrote to memory of 3692	3732	fxgdxfg.sfx.exe	94
PID 3732 wrote to memory of 3692	3732	fxgdxfg.sfx.exe	94
PID 3732 wrote to memory of 3692	3732	fxgdxfg.sfx.exe	94
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 3692 wrote to memory of 1816	3692	fxgdxfg.exe	95
PID 1816 wrote to memory of 3524	1816	fxgdxfg.exe	98
PID 1816 wrote to memory of 3524	1816	fxgdxfg.exe	98
PID 1816 wrote to memory of 3524	1816	fxgdxfg.exe	98
PID 1816 wrote to memory of 5036	1816	fxgdxfg.exe	100
PID 1816 wrote to memory of 5036	1816	fxgdxfg.exe	100
PID 1816 wrote to memory of 5036	1816	fxgdxfg.exe	100
PID 3524 wrote to memory of 1976	3524	cmd.exe	102
PID 3524 wrote to memory of 1976	3524	cmd.exe	102
PID 3524 wrote to memory of 1976	3524	cmd.exe	102
PID 5036 wrote to memory of 1016	5036	cmd.exe	103
PID 5036 wrote to memory of 1016	5036	cmd.exe	103
PID 5036 wrote to memory of 1016	5036	cmd.exe	103
PID 5036 wrote to memory of 4564	5036	cmd.exe	104
PID 5036 wrote to memory of 4564	5036	cmd.exe	104
PID 5036 wrote to memory of 4564	5036	cmd.exe	104
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105
PID 4564 wrote to memory of 1508	4564	crssi.exe	105

C:\Users\Admin\AppData\Local\Temp\Odeme.exe
"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niychjo.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe
    fxgdxfg.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pkqcaszjnhdeekeafugBtrfapofdgatdbjfthfegdyddfbshhheuyhdqboofhhddghdgvxcVohobthtigdge
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
      "C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB858.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        
        "C:\Users\Admin\AppData\Roaming\crssi.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crssi.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fxgdxfg.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe

Filesize
446KB

MD5
bba0c2f36a07c47043cdf79438caa5c6

SHA1
756ea32a4fd067ec1e89348931250d518dbffaa8

SHA256
91b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a

SHA512
1e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe

Filesize
446KB

MD5
bba0c2f36a07c47043cdf79438caa5c6

SHA1
756ea32a4fd067ec1e89348931250d518dbffaa8

SHA256
91b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a

SHA512
1e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\niychjo.cmd

Filesize
10KB

MD5
e5e149b889c00e5bb7ccb24f657de3b6

SHA1
27c48613662cf340487399277c7da01a3459bbd7

SHA256
918b067d618b93734f5fd18a2304d58fa3de64c40e57f8c61aa20721ad859b4a

SHA512
806ef27e28e05bb61a54b06c5dd47885e30aba9d9a28657120c0c24d27899486835604c0ccb5d53ea069986f00a5d4bc2e695db6fd1e3fa16e067e1e7a550b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB858.tmp.bat

Filesize
149B

MD5
c150153870ce816238eebd8cde849a54

SHA1
e1c412c56912da026beb3675200e3788eb21cad4

SHA256
81c155c9158c4fe99fae17d5d5645fba8915b98018ccdf86951f320e0e0581ae

SHA512
55c5a5d40a24d08985253945c0574f7acd017592023425f1b4e2f4ecf99d617c036081961e394563626c4b7fe8aef2ccada0684052efa0f997a7b9c70834c114

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
memory/1508-180-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1508-181-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1816-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1816-166-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/1816-167-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3692-161-0x000000000D8F0000-0x000000000D982000-memory.dmp

Filesize
584KB

Download
memory/3692-160-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3692-159-0x000000000DE00000-0x000000000E3A4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-158-0x000000000D7B0000-0x000000000D84C000-memory.dmp

Filesize
624KB

Download
memory/3692-157-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/4564-175-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download