asyncrat | 5a843694b01a9bfa63eaeec145173e06f4bba9cf9809fe61d95e2c890d72b397

General

Target

AsyncClient.exe
Size

45KB
MD5

f7b527766d5f642498c45f5018d64b7d
SHA1

144e941ca47c451b5df08d5d8d4900527f1a9fee
SHA256

5a843694b01a9bfa63eaeec145173e06f4bba9cf9809fe61d95e2c890d72b397
SHA512

d9134fa2b5a714e789021047c8dd123855ee4e3fdda50b9e2be90cbf5aa1d064286a0de2e7936c0a57199f5cbaf5b5cb2efac7f0c1da3f7d017255cf38ab09d8
SSDEEP

768:9uwqNToEjaNLWU3+KZmo2q7cKjPGaG6PIyzjbFgX3iFdtwgD7PUocm1sBDZXx:9uwqNToqad2JKTkDy3bCXSJBxqdXx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:3767

147.185.221.17:6606

147.185.221.17:7707

147.185.221.17:8808

147.185.221.17:3767

Mutex

gWbZsZK03zkW

Attributes

delay
3
install
true
install_file
explorer.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000CF0000-0x0000000000D02000-memory.dmp	asyncrat
behavioral1/memory/2128-2-0x0000000000C40000-0x0000000000C80000-memory.dmp	asyncrat
behavioral1/files/0x000e00000001201d-13.dat	asyncrat
behavioral1/files/0x000e00000001201d-14.dat	asyncrat
behavioral1/files/0x000e00000001201d-15.dat	asyncrat
behavioral1/memory/2764-16-0x0000000000DB0000-0x0000000000DC2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2764	explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
2628	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2760	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	AsyncClient.exe
2128	AsyncClient.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	AsyncClient.exe
Token: SeDebugPrivilege	2764	explorer.exe
Token: SeDebugPrivilege	2764	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2752	2128	AsyncClient.exe	29
PID 2128 wrote to memory of 2752	2128	AsyncClient.exe	29
PID 2128 wrote to memory of 2752	2128	AsyncClient.exe	29
PID 2128 wrote to memory of 2752	2128	AsyncClient.exe	29
PID 2752 wrote to memory of 2756	2752	cmd.exe	31
PID 2752 wrote to memory of 2756	2752	cmd.exe	31
PID 2752 wrote to memory of 2756	2752	cmd.exe	31
PID 2752 wrote to memory of 2756	2752	cmd.exe	31
PID 2128 wrote to memory of 2628	2128	AsyncClient.exe	32
PID 2128 wrote to memory of 2628	2128	AsyncClient.exe	32
PID 2128 wrote to memory of 2628	2128	AsyncClient.exe	32
PID 2128 wrote to memory of 2628	2128	AsyncClient.exe	32
PID 2628 wrote to memory of 2760	2628	cmd.exe	34
PID 2628 wrote to memory of 2760	2628	cmd.exe	34
PID 2628 wrote to memory of 2760	2628	cmd.exe	34
PID 2628 wrote to memory of 2760	2628	cmd.exe	34
PID 2628 wrote to memory of 2764	2628	cmd.exe	35
PID 2628 wrote to memory of 2764	2628	cmd.exe	35
PID 2628 wrote to memory of 2764	2628	cmd.exe	35
PID 2628 wrote to memory of 2764	2628	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BC6.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2760
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5BC6.tmp.bat

Filesize
152B

MD5
2ba08e45d9ab28baee1b051f6cf930bc

SHA1
0bb6da124c20c07e27e13e97b8a3e552934590be

SHA256
d6ae143180bf8bcdbe5f99605920e9376e9174c3fc5c9fb929dfb3e8ec910723

SHA512
2f323644ba11cdb379b3ce9543f7e15fd80275d6a1d8c241f143d0d424e87b8f290652342b3028c32f47b4ca3525f3d44ca3348d506f82d6a59db165ec9de54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5BC6.tmp.bat

Filesize
152B

MD5
2ba08e45d9ab28baee1b051f6cf930bc

SHA1
0bb6da124c20c07e27e13e97b8a3e552934590be

SHA256
d6ae143180bf8bcdbe5f99605920e9376e9174c3fc5c9fb929dfb3e8ec910723

SHA512
2f323644ba11cdb379b3ce9543f7e15fd80275d6a1d8c241f143d0d424e87b8f290652342b3028c32f47b4ca3525f3d44ca3348d506f82d6a59db165ec9de54d

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
45KB

MD5
f7b527766d5f642498c45f5018d64b7d

SHA1
144e941ca47c451b5df08d5d8d4900527f1a9fee

SHA256
5a843694b01a9bfa63eaeec145173e06f4bba9cf9809fe61d95e2c890d72b397

SHA512
d9134fa2b5a714e789021047c8dd123855ee4e3fdda50b9e2be90cbf5aa1d064286a0de2e7936c0a57199f5cbaf5b5cb2efac7f0c1da3f7d017255cf38ab09d8

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
45KB

MD5
f7b527766d5f642498c45f5018d64b7d

SHA1
144e941ca47c451b5df08d5d8d4900527f1a9fee

SHA256
5a843694b01a9bfa63eaeec145173e06f4bba9cf9809fe61d95e2c890d72b397

SHA512
d9134fa2b5a714e789021047c8dd123855ee4e3fdda50b9e2be90cbf5aa1d064286a0de2e7936c0a57199f5cbaf5b5cb2efac7f0c1da3f7d017255cf38ab09d8

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe

Filesize
45KB

MD5
f7b527766d5f642498c45f5018d64b7d

SHA1
144e941ca47c451b5df08d5d8d4900527f1a9fee

SHA256
5a843694b01a9bfa63eaeec145173e06f4bba9cf9809fe61d95e2c890d72b397

SHA512
d9134fa2b5a714e789021047c8dd123855ee4e3fdda50b9e2be90cbf5aa1d064286a0de2e7936c0a57199f5cbaf5b5cb2efac7f0c1da3f7d017255cf38ab09d8

Download Submit
memory/2128-12-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/2128-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2128-1-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-17-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-16-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/2764-18-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2764-19-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-20-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads