asyncrat | aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c

General

Target

shadow.exe
Size

45KB
MD5

b0c54754039e4c312c81cc1de388e1e6
SHA1

c00e8d078f1224156e5f34720732891afe72d654
SHA256

aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c
SHA512

c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8
SSDEEP

768:DuU2VTwkbBHWU7TZcFmo2qjLKjGKG6PIyzjbFgX3i0ZHPcZekvlaBDZDx:DuU2VTwAJM2aKYDy3bCXS0ZC+dDx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

klept0wiz-33913.portmap.host:33913

Mutex

guaeiofj398ajgka340gka9wk3f09jq3ad

Attributes

delay
3
install
true
install_file
Management.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2528-133-0x0000000000D60000-0x0000000000D72000-memory.dmp	asyncrat
behavioral2/files/0x000300000001e720-142.dat	asyncrat
behavioral2/files/0x000300000001e720-143.dat	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	shadow.exe

Executes dropped EXE 1 IoCs

pid	Process
4104	Management.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3332	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3576	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe
2528	shadow.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	shadow.exe
Token: SeDebugPrivilege	4104	Management.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4784	2528	shadow.exe	86
PID 2528 wrote to memory of 4784	2528	shadow.exe	86
PID 2528 wrote to memory of 4784	2528	shadow.exe	86
PID 2528 wrote to memory of 3712	2528	shadow.exe	88
PID 2528 wrote to memory of 3712	2528	shadow.exe	88
PID 2528 wrote to memory of 3712	2528	shadow.exe	88
PID 4784 wrote to memory of 3332	4784	cmd.exe	90
PID 4784 wrote to memory of 3332	4784	cmd.exe	90
PID 4784 wrote to memory of 3332	4784	cmd.exe	90
PID 3712 wrote to memory of 3576	3712	cmd.exe	91
PID 3712 wrote to memory of 3576	3712	cmd.exe	91
PID 3712 wrote to memory of 3576	3712	cmd.exe	91
PID 3712 wrote to memory of 4104	3712	cmd.exe	93
PID 3712 wrote to memory of 4104	3712	cmd.exe	93
PID 3712 wrote to memory of 4104	3712	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\shadow.exe
"C:\Users\Admin\AppData\Local\Temp\shadow.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Management" /tr '"C:\Users\Admin\AppData\Roaming\Management.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Management" /tr '"C:\Users\Admin\AppData\Roaming\Management.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3576
- - C:\Users\Admin\AppData\Roaming\Management.exe
    "C:\Users\Admin\AppData\Roaming\Management.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.bat

Filesize
154B

MD5
23f77b559af0a67fd14dc410ee3f5fff

SHA1
acf79d182bba3fe47c6f23e4047c9ffacbc1e4d9

SHA256
bba4e4e1bee4b198cfd1a2c29114e5f0f92a3e29be18c837d793caf547c7b93c

SHA512
8d10d45fcd82cc73941c39f8b5da709234a0011f6a95ac826c11b68f7be42eb92c65ac57b0368d0bbf8fb50f7914a364b0018566c5cd8aca1210038b77b34b18

Download Submit
C:\Users\Admin\AppData\Roaming\Management.exe

Filesize
45KB

MD5
b0c54754039e4c312c81cc1de388e1e6

SHA1
c00e8d078f1224156e5f34720732891afe72d654

SHA256
aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c

SHA512
c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Management.exe

Filesize
45KB

MD5
b0c54754039e4c312c81cc1de388e1e6

SHA1
c00e8d078f1224156e5f34720732891afe72d654

SHA256
aa199fbb289e048c5abaa334be3eb172175cf53e736d3a15ca32549086c99a8c

SHA512
c58117d3f377b6b7c1bba94d56049927a2a0e76e4243fa217ed8af1e80365939a5d3441572dea3c079403c07cad36ffebd35703e69fb258518244f2ca25d8bc8

Download Submit
memory/2528-133-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/2528-134-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/2528-135-0x0000000005A90000-0x0000000005B2C000-memory.dmp

Filesize
624KB

Download
memory/4104-144-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4104-145-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads