asyncrat | ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

General

Target

tmp.exe
Size

57KB
MD5

7422d3af2fc6d1f7ecef432d86353456
SHA1

fd470052846183329edd22a923d070ad71ba79cc
SHA256

ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
SHA512

24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
SSDEEP

1536:aIUw2xx5XbyB/licYH6GlQZXRwA2IJYkbHTH1lmK9Xx:aIUw2xx5Xb0/EcYH6GlQEANCkbHTNVx

Score

10^/10

asyncrat hawkeye a&h keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

A&H

C2

aboreda.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
10
install
true
install_file
WindowsUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1556-54-0x0000000000140000-0x0000000000154000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
behavioral1/memory/2044-68-0x0000000000950000-0x0000000000964000-memory.dmp	asyncrat
behavioral1/memory/2044-69-0x0000000000340000-0x0000000000380000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

2044 WindowsUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1208 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1296 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1556 tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exeWindowsUpdate.exe

description pid process

Token: SeDebugPrivilege 1556 tmp.exe
Token: SeDebugPrivilege 2044 WindowsUpdate.exe

pid	process
2044	WindowsUpdate.exe

pid	process
672	cmd.exe

pid	process
1208	schtasks.exe

pid	process
1296	timeout.exe

pid	process
1556	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1556	tmp.exe
Token: SeDebugPrivilege	2044	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1556 wrote to memory of 1032	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 1032	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 1032	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 1032	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 672	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 672	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 672	1556	tmp.exe	cmd.exe
PID 1556 wrote to memory of 672	1556	tmp.exe	cmd.exe
PID 1032 wrote to memory of 1208	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1208	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1208	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 1208	1032	cmd.exe	schtasks.exe
PID 672 wrote to memory of 1296	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1296	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1296	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1296	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe
PID 672 wrote to memory of 2044	672	cmd.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"'
3⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1296

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.bat
Filesize
157B

MD5
8a327bf63b992df4786731524f1bf2af

SHA1
e682c7fcbb35b83dba090dd54e6c722666002329

SHA256
e48cc1976db7ba5a456609305b2c5c2b361265b270b25092249864a30cabac01

SHA512
a285dfa2d26cac2af4fecb9697e986a0ccd0c263ae600fb2cf55acc1fd3507fc9eab19ff49b23ef3ce47158941c58abb1c0567a888840ecc9fd852aaabd48c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.bat
Filesize
157B

MD5
8a327bf63b992df4786731524f1bf2af

SHA1
e682c7fcbb35b83dba090dd54e6c722666002329

SHA256
e48cc1976db7ba5a456609305b2c5c2b361265b270b25092249864a30cabac01

SHA512
a285dfa2d26cac2af4fecb9697e986a0ccd0c263ae600fb2cf55acc1fd3507fc9eab19ff49b23ef3ce47158941c58abb1c0567a888840ecc9fd852aaabd48c49

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate.exe
Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
memory/1556-54-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1556-55-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/2044-68-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/2044-69-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2044-87-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads