asyncrat | 7b9a9b11fc9794d4e31d647a3cab02fecdb048e81bc13d37d1c3533b8e96a8d3

General

Target

a92bef216bec5b6fcc6a958305f81391.exe
Size

127KB
MD5

a92bef216bec5b6fcc6a958305f81391
SHA1

196de00aba5b37c7d7d5b7da6b6eb302257a81a9
SHA256

7b9a9b11fc9794d4e31d647a3cab02fecdb048e81bc13d37d1c3533b8e96a8d3
SHA512

1ddd77de29270944f9c25769b1dd0d655abea9ea7619af560a9160ef6648a09c559348236c65919a3ec63ab5a1b97e51a20fd2fe05a716ca52de2cd510e9f3a6
SSDEEP

3072:lh0ZVtDuop7hxJB0S4rObd4r9MrUEkmnnnnnZ/iUvVfG:lh0HtDTpkrObaBM7nnnnngAO

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Mutex

AsyncMutex_7SI8OkPnk

Attributes

delay
3
install
true
install_file
ContainerRuntime.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/YgX9vKea

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2116-136-0x0000000000100000-0x0000000000126000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a92bef216bec5b6fcc6a958305f81391.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	a92bef216bec5b6fcc6a958305f81391.exe

Executes dropped EXE 1 IoCs

Processes:

ContainerRuntime.exe

pid process

1628 ContainerRuntime.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

440 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4020 timeout.exe

pid	process
1628	ContainerRuntime.exe

pid	process
440	schtasks.exe

pid	process
4020	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

a92bef216bec5b6fcc6a958305f81391.exeContainerRuntime.exe

pid	process
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
2116	a92bef216bec5b6fcc6a958305f81391.exe
1628	ContainerRuntime.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a92bef216bec5b6fcc6a958305f81391.exeContainerRuntime.exe

description pid process

Token: SeDebugPrivilege 2116 a92bef216bec5b6fcc6a958305f81391.exe
Token: SeDebugPrivilege 1628 ContainerRuntime.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ContainerRuntime.exe

pid process

1628 ContainerRuntime.exe

description	pid	process
Token: SeDebugPrivilege	2116	a92bef216bec5b6fcc6a958305f81391.exe
Token: SeDebugPrivilege	1628	ContainerRuntime.exe

pid	process
1628	ContainerRuntime.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a92bef216bec5b6fcc6a958305f81391.execmd.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 1968	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 2116 wrote to memory of 1968	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 2116 wrote to memory of 1968	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 2116 wrote to memory of 3876	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 2116 wrote to memory of 3876	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 2116 wrote to memory of 3876	2116	a92bef216bec5b6fcc6a958305f81391.exe	cmd.exe
PID 3876 wrote to memory of 4020	3876	cmd.exe	timeout.exe
PID 3876 wrote to memory of 4020	3876	cmd.exe	timeout.exe
PID 3876 wrote to memory of 4020	3876	cmd.exe	timeout.exe
PID 1968 wrote to memory of 440	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 440	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 440	1968	cmd.exe	schtasks.exe
PID 3876 wrote to memory of 1628	3876	cmd.exe	ContainerRuntime.exe
PID 3876 wrote to memory of 1628	3876	cmd.exe	ContainerRuntime.exe
PID 3876 wrote to memory of 1628	3876	cmd.exe	ContainerRuntime.exe

C:\Users\Admin\AppData\Local\Temp\a92bef216bec5b6fcc6a958305f81391.exe
"C:\Users\Admin\AppData\Local\Temp\a92bef216bec5b6fcc6a958305f81391.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
3⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAE8.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4020

C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBAE8.tmp.bat
Filesize
160B

MD5
d8de1b42c17463f5bff0c08aeaf50c9e

SHA1
7c16b440ba7cbef2a537e836e8c6c7f01b56dda6

SHA256
65b0e31b165c31b0ff7c4bdcb4455c6c321b20e0bdc6fcdcda4666efd2381c2f

SHA512
318778131f7735223a32be54354bb3ab3d8892843468b348a305e4124bfe426e90e5c2a8c02be3ba69cee29c35566af5baba858e6edb3a75a305664cea9ff6c5

Download Submit
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
Filesize
127KB

MD5
a92bef216bec5b6fcc6a958305f81391

SHA1
196de00aba5b37c7d7d5b7da6b6eb302257a81a9

SHA256
7b9a9b11fc9794d4e31d647a3cab02fecdb048e81bc13d37d1c3533b8e96a8d3

SHA512
1ddd77de29270944f9c25769b1dd0d655abea9ea7619af560a9160ef6648a09c559348236c65919a3ec63ab5a1b97e51a20fd2fe05a716ca52de2cd510e9f3a6

Download Submit
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
Filesize
127KB

MD5
a92bef216bec5b6fcc6a958305f81391

SHA1
196de00aba5b37c7d7d5b7da6b6eb302257a81a9

SHA256
7b9a9b11fc9794d4e31d647a3cab02fecdb048e81bc13d37d1c3533b8e96a8d3

SHA512
1ddd77de29270944f9c25769b1dd0d655abea9ea7619af560a9160ef6648a09c559348236c65919a3ec63ab5a1b97e51a20fd2fe05a716ca52de2cd510e9f3a6

Download Submit
memory/1628-147-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1628-148-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/1628-149-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/1628-150-0x00000000060A0000-0x00000000060AA000-memory.dmp

Filesize
40KB

Download
memory/1628-151-0x0000000006C60000-0x0000000006CC6000-memory.dmp

Filesize
408KB

Download
memory/1628-152-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2116-136-0x0000000000100000-0x0000000000126000-memory.dmp

Filesize
152KB

Download
memory/2116-137-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/2116-138-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads