asyncrat | ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

General

Target

tmp.exe
Size

57KB
MD5

7422d3af2fc6d1f7ecef432d86353456
SHA1

fd470052846183329edd22a923d070ad71ba79cc
SHA256

ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
SHA512

24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
SSDEEP

1536:aIUw2xx5XbyB/licYH6GlQZXRwA2IJYkbHTH1lmK9Xx:aIUw2xx5Xb0/EcYH6GlQEANCkbHTNVx

Score

10^/10

asyncrat hawkeye a&h keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

A&H

C2

aboreda.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
10
install
true
install_file
WindowsUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/852-54-0x0000000001180000-0x0000000001194000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe	asyncrat
behavioral1/memory/1544-68-0x0000000000C70000-0x0000000000C84000-memory.dmp	asyncrat
behavioral1/memory/1544-69-0x0000000004370000-0x00000000043B0000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

WindowsUpdate.exe

pid process

1544 WindowsUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1644 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1248 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

852 tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exeWindowsUpdate.exe

description pid process

Token: SeDebugPrivilege 852 tmp.exe
Token: SeDebugPrivilege 1544 WindowsUpdate.exe

pid	process
1544	WindowsUpdate.exe

pid	process
1644	cmd.exe

pid	process
1500	schtasks.exe

pid	process
1248	timeout.exe

pid	process
852	tmp.exe

description	pid	process
Token: SeDebugPrivilege	852	tmp.exe
Token: SeDebugPrivilege	1544	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 852 wrote to memory of 1272	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1272	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1272	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1272	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1644	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1644	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1644	852	tmp.exe	cmd.exe
PID 852 wrote to memory of 1644	852	tmp.exe	cmd.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1248	1644	cmd.exe	timeout.exe
PID 1272 wrote to memory of 1500	1272	cmd.exe	schtasks.exe
PID 1272 wrote to memory of 1500	1272	cmd.exe	schtasks.exe
PID 1272 wrote to memory of 1500	1272	cmd.exe	schtasks.exe
PID 1272 wrote to memory of 1500	1272	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	WindowsUpdate.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1248
- - C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.bat

Filesize
157B

MD5
fc93bd8e557cfe5efd8592cd1786f43d

SHA1
db175e079f6859a5a96936602f1d68caf23094b6

SHA256
014a403e78eae274f55021561607e00e035d63d3ac4fe688ac35736a1d44f47b

SHA512
13c9ecf930b3019dfaf3b52acc4547e9da6bcb30ca339e1e9049b6186283374e9a8e931008021d648b897ec17f37fbc23586761dd4b860986f5cd787047fbe3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.bat

Filesize
157B

MD5
fc93bd8e557cfe5efd8592cd1786f43d

SHA1
db175e079f6859a5a96936602f1d68caf23094b6

SHA256
014a403e78eae274f55021561607e00e035d63d3ac4fe688ac35736a1d44f47b

SHA512
13c9ecf930b3019dfaf3b52acc4547e9da6bcb30ca339e1e9049b6186283374e9a8e931008021d648b897ec17f37fbc23586761dd4b860986f5cd787047fbe3b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Filesize
57KB

MD5
7422d3af2fc6d1f7ecef432d86353456

SHA1
fd470052846183329edd22a923d070ad71ba79cc

SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

Download Submit
memory/852-54-0x0000000001180000-0x0000000001194000-memory.dmp

Filesize
80KB

Download
memory/852-55-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/1544-68-0x0000000000C70000-0x0000000000C84000-memory.dmp

Filesize
80KB

Download
memory/1544-69-0x0000000004370000-0x00000000043B0000-memory.dmp

Filesize
256KB

Download
memory/1544-87-0x0000000004370000-0x00000000043B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads