asyncrat | 5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

General

Target

file.exe
Size

307KB
MD5

884714bd845895cbd4377d1ba6df376e
SHA1

5a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA256

5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512

174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
SSDEEP

6144:Y1s6ZKvncbumIED8Qyl/RUpfPMm9Fy5RiLwFdhLoZxybN:pcbuLQyDebTLIdhLexG

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.101.190:2015

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/700-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

880 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

468 cmd.exe

pid	process
880	svchost.exe

pid	process
468	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 880 set thread context of 700 880 svchost.exe SetupUtility.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 700 WerFault.exe SetupUtility.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

540 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1168 timeout.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

file.exesvchost.exe

pid process

624 file.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
880 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exesvchost.exe

description pid process

Token: SeDebugPrivilege 624 file.exe
Token: SeDebugPrivilege 880 svchost.exe

description	pid	process	target process
PID 880 set thread context of 700	880	svchost.exe	SetupUtility.exe

pid	pid_target	process	target process
1684	700	WerFault.exe	SetupUtility.exe

pid	process
540	schtasks.exe

pid	process
1168	timeout.exe

pid	process
624	file.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe
880	svchost.exe

description	pid	process
Token: SeDebugPrivilege	624	file.exe
Token: SeDebugPrivilege	880	svchost.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

file.execmd.execmd.exesvchost.exeSetupUtility.exe

description	pid	process	target process
PID 624 wrote to memory of 916	624	file.exe	cmd.exe
PID 624 wrote to memory of 916	624	file.exe	cmd.exe
PID 624 wrote to memory of 916	624	file.exe	cmd.exe
PID 916 wrote to memory of 540	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 540	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 540	916	cmd.exe	schtasks.exe
PID 624 wrote to memory of 468	624	file.exe	cmd.exe
PID 624 wrote to memory of 468	624	file.exe	cmd.exe
PID 624 wrote to memory of 468	624	file.exe	cmd.exe
PID 468 wrote to memory of 1168	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 1168	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 1168	468	cmd.exe	timeout.exe
PID 468 wrote to memory of 880	468	cmd.exe	svchost.exe
PID 468 wrote to memory of 880	468	cmd.exe	svchost.exe
PID 468 wrote to memory of 880	468	cmd.exe	svchost.exe
PID 880 wrote to memory of 796	880	svchost.exe	DataSvcUtil.exe
PID 880 wrote to memory of 796	880	svchost.exe	DataSvcUtil.exe
PID 880 wrote to memory of 796	880	svchost.exe	DataSvcUtil.exe
PID 880 wrote to memory of 1184	880	svchost.exe	cvtres.exe
PID 880 wrote to memory of 1184	880	svchost.exe	cvtres.exe
PID 880 wrote to memory of 1184	880	svchost.exe	cvtres.exe
PID 880 wrote to memory of 1628	880	svchost.exe	aspnet_state.exe
PID 880 wrote to memory of 1628	880	svchost.exe	aspnet_state.exe
PID 880 wrote to memory of 1628	880	svchost.exe	aspnet_state.exe
PID 880 wrote to memory of 1400	880	svchost.exe	aspnet_wp.exe
PID 880 wrote to memory of 1400	880	svchost.exe	aspnet_wp.exe
PID 880 wrote to memory of 1400	880	svchost.exe	aspnet_wp.exe
PID 880 wrote to memory of 1552	880	svchost.exe	ngen.exe
PID 880 wrote to memory of 1552	880	svchost.exe	ngen.exe
PID 880 wrote to memory of 1552	880	svchost.exe	ngen.exe
PID 880 wrote to memory of 1084	880	svchost.exe	AddInUtil.exe
PID 880 wrote to memory of 1084	880	svchost.exe	AddInUtil.exe
PID 880 wrote to memory of 1084	880	svchost.exe	AddInUtil.exe
PID 880 wrote to memory of 612	880	svchost.exe	WsatConfig.exe
PID 880 wrote to memory of 612	880	svchost.exe	WsatConfig.exe
PID 880 wrote to memory of 612	880	svchost.exe	WsatConfig.exe
PID 880 wrote to memory of 604	880	svchost.exe	RegSvcs.exe
PID 880 wrote to memory of 604	880	svchost.exe	RegSvcs.exe
PID 880 wrote to memory of 604	880	svchost.exe	RegSvcs.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 880 wrote to memory of 700	880	svchost.exe	SetupUtility.exe
PID 700 wrote to memory of 1684	700	SetupUtility.exe	WerFault.exe
PID 700 wrote to memory of 1684	700	SetupUtility.exe	WerFault.exe
PID 700 wrote to memory of 1684	700	SetupUtility.exe	WerFault.exe
PID 700 wrote to memory of 1684	700	SetupUtility.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:540

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1168

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
4⤵
PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
4⤵
PID:1628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
4⤵
PID:1400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
4⤵
PID:1084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
4⤵
PID:1552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
4⤵
PID:612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
4⤵
PID:604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 168
5⤵
- Program crash
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.bat
Filesize
150B

MD5
557bd695efe8977b592bfa87ed4e51ab

SHA1
1b384a4964ee557076f1448a24d005e7847be25a

SHA256
fe5ddc10e3e2e3d6222a3e5794f10134a76b4ce682cfaa3f2b9fac000014f798

SHA512
1522581325b7e64bde3f2c162d7c2cdfb397408237a5c264f38b636af4cedfdcff89a2c04cd8b4d24e137c197bf88a64de94063d49fa35c4192533ff6ba3cc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.bat
Filesize
150B

MD5
557bd695efe8977b592bfa87ed4e51ab

SHA1
1b384a4964ee557076f1448a24d005e7847be25a

SHA256
fe5ddc10e3e2e3d6222a3e5794f10134a76b4ce682cfaa3f2b9fac000014f798

SHA512
1522581325b7e64bde3f2c162d7c2cdfb397408237a5c264f38b636af4cedfdcff89a2c04cd8b4d24e137c197bf88a64de94063d49fa35c4192533ff6ba3cc38

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
307KB

MD5
884714bd845895cbd4377d1ba6df376e

SHA1
5a219cb01a10516eab59b2703d7bc4760fb5b5c0

SHA256
5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

SHA512
174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
307KB

MD5
884714bd845895cbd4377d1ba6df376e

SHA1
5a219cb01a10516eab59b2703d7bc4760fb5b5c0

SHA256
5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

SHA512
174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
307KB

MD5
884714bd845895cbd4377d1ba6df376e

SHA1
5a219cb01a10516eab59b2703d7bc4760fb5b5c0

SHA256
5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

SHA512
174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

Download Submit
memory/624-54-0x0000000000FC0000-0x0000000001012000-memory.dmp

Filesize
328KB

Download
memory/624-55-0x000000001BF10000-0x000000001BF90000-memory.dmp

Filesize
512KB

Download
memory/700-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/880-69-0x00000000011E0000-0x0000000001232000-memory.dmp

Filesize
328KB

Download
memory/880-70-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads