asyncrat | 2930da605db0ec3fcc6ddfe2b54808fdc417ccedfe1faa9dc3c1d2c69d401a0b

General

Target

0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
Size

45KB
MD5

3b7f9dcb3b83acf40f32d5f7c500fefb
SHA1

08195d91e8e187c4edfb03e3fa6784524481802a
SHA256

0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777
SHA512

daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1
SSDEEP

768:vuK49TH4EjZWUR+ejmo2qrL/ot3APIPzjbogX3a7bsaN3KnVABDZXx:vuK49THf520s3lP3b/XKUaN3CWdXx

Score

10^/10

asyncrat christ2 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Christ2

C2

dlusercontent.net:4444

Mutex

3048tui grwj0grw08

Attributes

delay
3
install
true
install_file
windllx.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1420-133-0x00000000004E0000-0x00000000004F2000-memory.dmp	asyncrat
behavioral2/files/0x000200000002186c-142.dat	asyncrat
behavioral2/files/0x000200000002186c-143.dat	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe

Executes dropped EXE 1 IoCs

pid	Process
1004	windllx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3756	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3988	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
Token: SeDebugPrivilege	1004	windllx.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4688	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	86
PID 1420 wrote to memory of 4688	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	86
PID 1420 wrote to memory of 4688	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	86
PID 1420 wrote to memory of 1192	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	88
PID 1420 wrote to memory of 1192	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	88
PID 1420 wrote to memory of 1192	1420	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	88
PID 1192 wrote to memory of 3988	1192	cmd.exe	90
PID 1192 wrote to memory of 3988	1192	cmd.exe	90
PID 1192 wrote to memory of 3988	1192	cmd.exe	90
PID 4688 wrote to memory of 3756	4688	cmd.exe	91
PID 4688 wrote to memory of 3756	4688	cmd.exe	91
PID 4688 wrote to memory of 3756	4688	cmd.exe	91
PID 1192 wrote to memory of 1004	1192	cmd.exe	92
PID 1192 wrote to memory of 1004	1192	cmd.exe	92
PID 1192 wrote to memory of 1004	1192	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
"C:\Users\Admin\AppData\Local\Temp\0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\Admin\AppData\Roaming\windllx.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\Admin\AppData\Roaming\windllx.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp833E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3988
- - C:\Users\Admin\AppData\Roaming\windllx.exe
    "C:\Users\Admin\AppData\Roaming\windllx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp833E.tmp.bat

Filesize
151B

MD5
3ff54698b11f966790404db47b837178

SHA1
e59a9df5c2a359756c29107133b6fa4d606e9247

SHA256
0e67b82d1e64b83df93cbd48b1a9f76e37b7f85bae21e0b2e4151d3820e3a563

SHA512
fe7b65e026d20d182eb914bda03d725752c46d4222fbddae60222869bea7b3c5426f53d9981290fa557862c44c2439daa7723913707210a19a59c1293a937c92

Download Submit
C:\Users\Admin\AppData\Roaming\windllx.exe

Filesize
45KB

MD5
3b7f9dcb3b83acf40f32d5f7c500fefb

SHA1
08195d91e8e187c4edfb03e3fa6784524481802a

SHA256
0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777

SHA512
daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1

Download Submit
C:\Users\Admin\AppData\Roaming\windllx.exe

Filesize
45KB

MD5
3b7f9dcb3b83acf40f32d5f7c500fefb

SHA1
08195d91e8e187c4edfb03e3fa6784524481802a

SHA256
0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777

SHA512
daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1

Download Submit
memory/1004-144-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1004-145-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1420-133-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1420-134-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1420-135-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads