Analysis
-
max time kernel
270s -
max time network
266s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2023, 14:56
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20230220-en
3 signatures
150 seconds
General
-
Target
AsyncClient.exe
-
Size
45KB
-
MD5
201a8b53a4749fd4f6f768aa3b003b04
-
SHA1
c829d9e8030354c162d2ded4a1fe3f0b71f6c9e7
-
SHA256
b17fb441c2af8dd5b20e49ffb9766bc737c9b6557db31beb3d9d18309dc87aec
-
SHA512
e1346b63a5d57a72a410177ca1a52246dcb36be1a1da990a0d519a71781384e3c5712f4778674d219ee68421207f165286f003c9d3dd981678d85eb2336c5611
-
SSDEEP
768:ju0OVTBRlc6nWUbmelmo2qjrKjGKG6PIyzjbFgX3iXavcTaPBDZjx:ju0OVTBnck26KYDy3bCXSK4Odjx
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
127.0.0.1:15491
127.0.0.1:8080
195.78.54.247:15491
195.78.54.247:8080
2.tcp.eu.ngrok.io:15491
2.tcp.eu.ngrok.io:8080
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_file
awdawd.exe
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4356-133-0x0000000000DD0000-0x0000000000DE2000-memory.dmp asyncrat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1612 taskmgr.exe Token: SeSystemProfilePrivilege 1612 taskmgr.exe Token: SeCreateGlobalPrivilege 1612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe 1612 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵PID:4356
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612