asyncrat | c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
Size

353KB
MD5

c7760450b006ef172e0638bde6125c17
SHA1

dc6b9de31d116ee71994b1bbe2a22be276cae720
SHA256

c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80
SHA512

65d6e71f26871d088bac66374fcd2fc977b032f7c8c2874e08cd80b8e2e5314cba0f06c9e1a0c624e150713f0f0c9e5e2b1eaec0f6c4ddd058379f0a50394023
SSDEEP

6144:xKhvSrEBZrGt9sPg5/LNRoNGS3ovnCbWsH2/of1uL8vwP26kiI:xKhvSrEBpUmGS3EnCbWsH2/of1uL8vcu

Score

10^/10

asyncrat eefaultp rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

EefaultP

wreightcethebui.sytes.net:1414

wreightcethebui.sytes.net:4884

palmgorohive.myddns.me:1414

palmgorohive.myddns.me:4884

Mutex

AsyncMutex_6WI8OkPmD

Attributes

delay
25
install
true
install_file
dsci.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2452-6-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2452-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2452-10-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1732-34-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1732-36-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

pid	Process
1492	dsci.exe
1732	dsci.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 1492 set thread context of 1732	1492	dsci.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2608	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
324	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
Token: SeDebugPrivilege	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
Token: SeDebugPrivilege	1492	dsci.exe
Token: SeDebugPrivilege	1732	dsci.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 3036 wrote to memory of 2452	3036	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	28
PID 2452 wrote to memory of 2712	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	32
PID 2452 wrote to memory of 2712	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	32
PID 2452 wrote to memory of 2712	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	32
PID 2452 wrote to memory of 2712	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	32
PID 2452 wrote to memory of 2460	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	34
PID 2452 wrote to memory of 2460	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	34
PID 2452 wrote to memory of 2460	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	34
PID 2452 wrote to memory of 2460	2452	c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe	34
PID 2712 wrote to memory of 2608	2712	cmd.exe	36
PID 2712 wrote to memory of 2608	2712	cmd.exe	36
PID 2712 wrote to memory of 2608	2712	cmd.exe	36
PID 2712 wrote to memory of 2608	2712	cmd.exe	36
PID 2460 wrote to memory of 324	2460	cmd.exe	37
PID 2460 wrote to memory of 324	2460	cmd.exe	37
PID 2460 wrote to memory of 324	2460	cmd.exe	37
PID 2460 wrote to memory of 324	2460	cmd.exe	37
PID 2460 wrote to memory of 1492	2460	cmd.exe	38
PID 2460 wrote to memory of 1492	2460	cmd.exe	38
PID 2460 wrote to memory of 1492	2460	cmd.exe	38
PID 2460 wrote to memory of 1492	2460	cmd.exe	38
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39
PID 1492 wrote to memory of 1732	1492	dsci.exe	39

C:\Users\Admin\AppData\Local\Temp\c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
  C:\Users\Admin\AppData\Local\Temp\c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80_JC.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dsci" /tr '"C:\Users\Admin\AppData\Roaming\dsci.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dsci" /tr '"C:\Users\Admin\AppData\Roaming\dsci.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:324
  - - C:\Users\Admin\AppData\Roaming\dsci.exe
      "C:\Users\Admin\AppData\Roaming\dsci.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Roaming\dsci.exe
        
        C:\Users\Admin\AppData\Roaming\dsci.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.bat

Filesize
148B

MD5
417b8d27e00d833e5964bd0116bd77e4

SHA1
02214d57259f9ef5e4935887aafcfaaaa277ed9a

SHA256
7e9e55bfd67e697e99089831df397cfd074c249e4101c2d2ac4b830795ad9843

SHA512
99f99215c3a5fb602213ece681917eb3e1024bba7e2459bd229bb786ba50e67225edecaf63820ee300761fba329f57696cb2a9a6c573f9119aba3c8f1f6eee80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF631.tmp.bat

Filesize
148B

MD5
417b8d27e00d833e5964bd0116bd77e4

SHA1
02214d57259f9ef5e4935887aafcfaaaa277ed9a

SHA256
7e9e55bfd67e697e99089831df397cfd074c249e4101c2d2ac4b830795ad9843

SHA512
99f99215c3a5fb602213ece681917eb3e1024bba7e2459bd229bb786ba50e67225edecaf63820ee300761fba329f57696cb2a9a6c573f9119aba3c8f1f6eee80

Download Submit
C:\Users\Admin\AppData\Roaming\dsci.exe

Filesize
353KB

MD5
c7760450b006ef172e0638bde6125c17

SHA1
dc6b9de31d116ee71994b1bbe2a22be276cae720

SHA256
c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80

SHA512
65d6e71f26871d088bac66374fcd2fc977b032f7c8c2874e08cd80b8e2e5314cba0f06c9e1a0c624e150713f0f0c9e5e2b1eaec0f6c4ddd058379f0a50394023

Download Submit
C:\Users\Admin\AppData\Roaming\dsci.exe

Filesize
353KB

MD5
c7760450b006ef172e0638bde6125c17

SHA1
dc6b9de31d116ee71994b1bbe2a22be276cae720

SHA256
c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80

SHA512
65d6e71f26871d088bac66374fcd2fc977b032f7c8c2874e08cd80b8e2e5314cba0f06c9e1a0c624e150713f0f0c9e5e2b1eaec0f6c4ddd058379f0a50394023

Download Submit
C:\Users\Admin\AppData\Roaming\dsci.exe

Filesize
353KB

MD5
c7760450b006ef172e0638bde6125c17

SHA1
dc6b9de31d116ee71994b1bbe2a22be276cae720

SHA256
c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80

SHA512
65d6e71f26871d088bac66374fcd2fc977b032f7c8c2874e08cd80b8e2e5314cba0f06c9e1a0c624e150713f0f0c9e5e2b1eaec0f6c4ddd058379f0a50394023

Download Submit
\Users\Admin\AppData\Roaming\dsci.exe

Filesize
353KB

MD5
c7760450b006ef172e0638bde6125c17

SHA1
dc6b9de31d116ee71994b1bbe2a22be276cae720

SHA256
c89c718f867910692354a6559f2fc527f55f5dec0ab50b7b9001808288b70f80

SHA512
65d6e71f26871d088bac66374fcd2fc977b032f7c8c2874e08cd80b8e2e5314cba0f06c9e1a0c624e150713f0f0c9e5e2b1eaec0f6c4ddd058379f0a50394023

Download Submit
memory/1492-30-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/1492-28-0x0000000000E10000-0x0000000000E72000-memory.dmp

Filesize
392KB

Download
memory/1492-29-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-37-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-38-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1732-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1732-39-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-40-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1732-41-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/2452-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-23-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-14-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2452-13-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-12-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2452-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3036-0-0x0000000000A40000-0x0000000000AA2000-memory.dmp

Filesize
392KB

Download
memory/3036-11-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3036-5-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/3036-4-0x0000000000670000-0x00000000006C2000-memory.dmp

Filesize
328KB

Download
memory/3036-3-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/3036-2-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/3036-1-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download