asyncrat | 50780178c6e35fc1107aa6aacb09c6d1a46d2200f909a95836c88cb7c3651c0e

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pago.exe
Size

623KB
MD5

652dd5b56989f5ef5cb33759bf1ccbd0
SHA1

c7ba417514e93c71af7298ab9ba0c004079961b7
SHA256

50780178c6e35fc1107aa6aacb09c6d1a46d2200f909a95836c88cb7c3651c0e
SHA512

985d14a3159a6cab09a6cbb3048a306ea905a2311dcc93a1dba43796690aae647e91939fbfb9a47c0584eba7f16ebab2c9bc54c3e597d8d9b3d5c1f2d9946d6d
SSDEEP

12288:NcrNS33L10QdrXjcDn/ecGKnIiAnoXxDR3KUKLpFQBr7JFWpzL:wNA3R5drXoD/pfAnoXpR7kpFQBvJyL

Score

10^/10

asyncrat mnock rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Mnock

mooroopecamroy.sytes.net:1452

mooroopecamroy.sytes.net:1432

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
crssi.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4916-162-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Pago.exefxthjjfd.sfx.exefxthjjfd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Pago.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	fxthjjfd.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	fxthjjfd.exe

Executes dropped EXE 5 IoCs

Processes:

fxthjjfd.sfx.exefxthjjfd.exefxthjjfd.execrssi.execrssi.exe

pid process

4064 fxthjjfd.sfx.exe
3792 fxthjjfd.exe
4916 fxthjjfd.exe
4696 crssi.exe
2052 crssi.exe

pid	process
4064	fxthjjfd.sfx.exe
3792	fxthjjfd.exe
4916	fxthjjfd.exe
4696	crssi.exe
2052	crssi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fxthjjfd.execrssi.exe

description	pid	process	target process
PID 3792 set thread context of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 4696 set thread context of 2052	4696	crssi.exe	crssi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4964 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4548 timeout.exe

pid	process
4964	schtasks.exe

pid	process
4548	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

fxthjjfd.exe

pid	process
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe
4916	fxthjjfd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fxthjjfd.exefxthjjfd.execrssi.execrssi.exe

description	pid	process
Token: SeDebugPrivilege	3792	fxthjjfd.exe
Token: SeDebugPrivilege	4916	fxthjjfd.exe
Token: SeDebugPrivilege	4696	crssi.exe
Token: SeDebugPrivilege	2052	crssi.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Pago.execmd.exefxthjjfd.sfx.exefxthjjfd.exefxthjjfd.execmd.execmd.execrssi.exe

description	pid	process	target process
PID 3828 wrote to memory of 116	3828	Pago.exe	cmd.exe
PID 3828 wrote to memory of 116	3828	Pago.exe	cmd.exe
PID 3828 wrote to memory of 116	3828	Pago.exe	cmd.exe
PID 116 wrote to memory of 4064	116	cmd.exe	fxthjjfd.sfx.exe
PID 116 wrote to memory of 4064	116	cmd.exe	fxthjjfd.sfx.exe
PID 116 wrote to memory of 4064	116	cmd.exe	fxthjjfd.sfx.exe
PID 4064 wrote to memory of 3792	4064	fxthjjfd.sfx.exe	fxthjjfd.exe
PID 4064 wrote to memory of 3792	4064	fxthjjfd.sfx.exe	fxthjjfd.exe
PID 4064 wrote to memory of 3792	4064	fxthjjfd.sfx.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 3792 wrote to memory of 4916	3792	fxthjjfd.exe	fxthjjfd.exe
PID 4916 wrote to memory of 4424	4916	fxthjjfd.exe	cmd.exe
PID 4916 wrote to memory of 4424	4916	fxthjjfd.exe	cmd.exe
PID 4916 wrote to memory of 4424	4916	fxthjjfd.exe	cmd.exe
PID 4916 wrote to memory of 4828	4916	fxthjjfd.exe	cmd.exe
PID 4916 wrote to memory of 4828	4916	fxthjjfd.exe	cmd.exe
PID 4916 wrote to memory of 4828	4916	fxthjjfd.exe	cmd.exe
PID 4424 wrote to memory of 4964	4424	cmd.exe	schtasks.exe
PID 4424 wrote to memory of 4964	4424	cmd.exe	schtasks.exe
PID 4424 wrote to memory of 4964	4424	cmd.exe	schtasks.exe
PID 4828 wrote to memory of 4548	4828	cmd.exe	timeout.exe
PID 4828 wrote to memory of 4548	4828	cmd.exe	timeout.exe
PID 4828 wrote to memory of 4548	4828	cmd.exe	timeout.exe
PID 4828 wrote to memory of 4696	4828	cmd.exe	crssi.exe
PID 4828 wrote to memory of 4696	4828	cmd.exe	crssi.exe
PID 4828 wrote to memory of 4696	4828	cmd.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe
PID 4696 wrote to memory of 2052	4696	crssi.exe	crssi.exe

C:\Users\Admin\AppData\Local\Temp\Pago.exe
"C:\Users\Admin\AppData\Local\Temp\Pago.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuifhjo.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\fxthjjfd.sfx.exe
fxthjjfd.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pegqekidhldqbomhjyujVifMohobtdaeddeoqxqtefcyiptigtrfcyhjnhotbsbgugfszafugBbsddfdtixdk
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
"C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"'
7⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAF8.tmp.bat""
6⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:4548

C:\Users\Admin\AppData\Roaming\crssi.exe
"C:\Users\Admin\AppData\Roaming\crssi.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Roaming\crssi.exe
C:\Users\Admin\AppData\Roaming\crssi.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crssi.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fxthjjfd.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuifhjo.cmd
Filesize
10KB

MD5
2cbdbe28433c212cfc947f9060b2c797

SHA1
db043393b05fba23666dbf3af319148e7ae29c2e

SHA256
bec00ecf683b07e82fd8d1b5138b3a09f516c22354d08da8663e25764c75e646

SHA512
dbb4f72aac536404a762d4c9238aa24566fdf0a7c425b573c8e03f39b8402b58dc0fed437379255ab8c3650430bab5280bab8f761f3a9ff9a424db8f64065bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.sfx.exe
Filesize
432KB

MD5
d23635b06be2768d5b78d7258c14406e

SHA1
8f015cb2fc7b7c8079b9ee1a3d42655a4534a6d0

SHA256
f84fedf08805fa1d4d36c27720770cb260955d4cd5cf3d3f50dc90826b752f4a

SHA512
2ac6bf75997595f0dc21bfc4b69c126dcbe3daea3b7cf2c01dd73c57d0c5c70e6990011051cb9f5403ef058d94bc4f55fb0c11c9d9769cbb4c2e6f4142d10d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxthjjfd.sfx.exe
Filesize
432KB

MD5
d23635b06be2768d5b78d7258c14406e

SHA1
8f015cb2fc7b7c8079b9ee1a3d42655a4534a6d0

SHA256
f84fedf08805fa1d4d36c27720770cb260955d4cd5cf3d3f50dc90826b752f4a

SHA512
2ac6bf75997595f0dc21bfc4b69c126dcbe3daea3b7cf2c01dd73c57d0c5c70e6990011051cb9f5403ef058d94bc4f55fb0c11c9d9769cbb4c2e6f4142d10d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAF8.tmp.bat
Filesize
149B

MD5
9e516748abd181fe98d90bf6697a15fc

SHA1
00d744d47da2d0e9101efa64cb893022a3dd2cef

SHA256
25e1f392b6d0c088f63dfc7254d968d99024ca394d82b399f3d22b9b53599566

SHA512
48a28fdca8077e8b4a6fc38a3263987f5b0bd3d54d6aaa8081d7808170842c95af7b86c557843cfea102f1779806b45e0e12756e87c84f12d391fb26eaea1a8b

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe
Filesize
204KB

MD5
d0e2cc51b321b89c9f851f63390101b5

SHA1
f08594b598816221785328ae9500b9f6aca26fae

SHA256
b19954a0b27c1f93f954b8f95a289371a01c097cf4a75cef5db44c7c263b22d6

SHA512
de8b71b6952642a14feedc7db8034dfe23f662a10828dbe404534dea0ead42eca1d155887a81656b886dfe7ddbc8df93784f290859d413e01f9281ed722d81d4

Download Submit
memory/2052-181-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/2052-180-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3792-157-0x0000000000CC0000-0x0000000000CF8000-memory.dmp

Filesize
224KB

Download
memory/3792-161-0x0000000007B80000-0x0000000007B90000-memory.dmp

Filesize
64KB

Download
memory/3792-160-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/3792-159-0x000000000A480000-0x000000000AA24000-memory.dmp

Filesize
5.6MB

Download
memory/3792-158-0x0000000009E30000-0x0000000009ECC000-memory.dmp

Filesize
624KB

Download
memory/4696-175-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/4916-166-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/4916-165-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4916-162-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download