asyncrat | 92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

General

Target

New Order SSRNSSIQ102-2023.exe
Size

789KB
MD5

40e90e03d1c397d3fede4c0e9d3dd2e4
SHA1

2ca12b01d5a31dd2076a7a4c0ca70fb61451331c
SHA256

92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e
SHA512

a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6
SSDEEP

12288:fCBNfZFHB3gwr+1yjPHx0HGkYDHjrTCq:abHBQyjPHxqYDH/eq

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh03.ddns.net:45265

fresh03.ddns.net:34110

fresh03.ddns.net:2245

fresh01.ddns.net:45265

fresh01.ddns.net:34110

fresh01.ddns.net:2245

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1212-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1212-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1212-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1212-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1212-73-0x00000000023D0000-0x0000000002410000-memory.dmp	asyncrat
behavioral1/memory/888-88-0x0000000004560000-0x00000000045A0000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

logs.exe

pid process

888 logs.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order SSRNSSIQ102-2023.exe

description pid process target process

PID 2016 set thread context of 1212 2016 New Order SSRNSSIQ102-2023.exe New Order SSRNSSIQ102-2023.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1876 schtasks.exe
1056 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1520 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New Order SSRNSSIQ102-2023.exeNew Order SSRNSSIQ102-2023.exe

pid process

2016 New Order SSRNSSIQ102-2023.exe
2016 New Order SSRNSSIQ102-2023.exe
1212 New Order SSRNSSIQ102-2023.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Order SSRNSSIQ102-2023.exeNew Order SSRNSSIQ102-2023.exe

description pid process

Token: SeDebugPrivilege 2016 New Order SSRNSSIQ102-2023.exe
Token: SeDebugPrivilege 1212 New Order SSRNSSIQ102-2023.exe

pid	process
888	logs.exe

pid	process
1348	cmd.exe

description	pid	process	target process
PID 2016 set thread context of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe

pid	process
1876	schtasks.exe
1056	schtasks.exe

pid	process
1520	timeout.exe

pid	process
2016	New Order SSRNSSIQ102-2023.exe
2016	New Order SSRNSSIQ102-2023.exe
1212	New Order SSRNSSIQ102-2023.exe

description	pid	process
Token: SeDebugPrivilege	2016	New Order SSRNSSIQ102-2023.exe
Token: SeDebugPrivilege	1212	New Order SSRNSSIQ102-2023.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

New Order SSRNSSIQ102-2023.exeNew Order SSRNSSIQ102-2023.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1876	2016	New Order SSRNSSIQ102-2023.exe	schtasks.exe
PID 2016 wrote to memory of 1876	2016	New Order SSRNSSIQ102-2023.exe	schtasks.exe
PID 2016 wrote to memory of 1876	2016	New Order SSRNSSIQ102-2023.exe	schtasks.exe
PID 2016 wrote to memory of 1876	2016	New Order SSRNSSIQ102-2023.exe	schtasks.exe
PID 2016 wrote to memory of 1500	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1500	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1500	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1500	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 2016 wrote to memory of 1212	2016	New Order SSRNSSIQ102-2023.exe	New Order SSRNSSIQ102-2023.exe
PID 1212 wrote to memory of 1928	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1928	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1928	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1928	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1348	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1348	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1348	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1212 wrote to memory of 1348	1212	New Order SSRNSSIQ102-2023.exe	cmd.exe
PID 1928 wrote to memory of 1056	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1056	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1056	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 1056	1928	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 1520	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1520	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1520	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1520	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 888	1348	cmd.exe	logs.exe
PID 1348 wrote to memory of 888	1348	cmd.exe	logs.exe
PID 1348 wrote to memory of 888	1348	cmd.exe	logs.exe
PID 1348 wrote to memory of 888	1348	cmd.exe	logs.exe

C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
"C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZSapQxocQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2389.tmp"
2⤵
- Creates scheduled task(s)
PID:1876

C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
"{path}"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
4⤵
- Creates scheduled task(s)
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3EE5.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1520

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
4⤵
- Executes dropped EXE
PID:888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2389.tmp
Filesize
1KB

MD5
59e29e79d0718caaf520e14d975270cd

SHA1
536db2f37704b4a0c1a6117ea3c2e24580d052f3

SHA256
68e205eac49a2d3db9bad3c0d29cac2f6a53f04c6a32894399e399d474e6da79

SHA512
36da1d5deac8a3e28735d7ee8b140fe7034109bcdf1a692c7466ecb7038bd52573dda8d16f7cf4288ddf40e0499cf9edcce4c39e7d4cbad8626846fa53d74529

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EE5.tmp.bat
Filesize
148B

MD5
470c0ce0447a784c087aed9dfa4a46dc

SHA1
cadbc932d470cefe432d6b9ceb2da82b28a00821

SHA256
e150728e8ae78fe0bb8c8cdb5add2681fdd51750f947ac442662dee4d012f219

SHA512
62ea311289125df82121b97b89b72518851ebe2c4c64120d587f5b637f832c81998d3a2704762c3a7ece2158acce0107435b3af095311606d5d5e14903963c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EE5.tmp.bat
Filesize
148B

MD5
470c0ce0447a784c087aed9dfa4a46dc

SHA1
cadbc932d470cefe432d6b9ceb2da82b28a00821

SHA256
e150728e8ae78fe0bb8c8cdb5add2681fdd51750f947ac442662dee4d012f219

SHA512
62ea311289125df82121b97b89b72518851ebe2c4c64120d587f5b637f832c81998d3a2704762c3a7ece2158acce0107435b3af095311606d5d5e14903963c56

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
789KB

MD5
40e90e03d1c397d3fede4c0e9d3dd2e4

SHA1
2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

SHA256
92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

SHA512
a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
789KB

MD5
40e90e03d1c397d3fede4c0e9d3dd2e4

SHA1
2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

SHA256
92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

SHA512
a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

Download Submit
\Users\Admin\AppData\Roaming\logs.exe
Filesize
789KB

MD5
40e90e03d1c397d3fede4c0e9d3dd2e4

SHA1
2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

SHA256
92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

SHA512
a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

Download Submit
memory/888-86-0x00000000001B0000-0x000000000027C000-memory.dmp

Filesize
816KB

Download
memory/888-89-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/888-88-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download
memory/888-87-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download
memory/1212-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-73-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/1212-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1212-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2016-57-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/2016-55-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/2016-56-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/2016-54-0x0000000000040000-0x000000000010C000-memory.dmp

Filesize
816KB

Download
memory/2016-58-0x0000000004830000-0x0000000004896000-memory.dmp

Filesize
408KB

Download
memory/2016-59-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads