asyncrat | bd887a31360a06cf6094b3b889bf7ec9d835c9642bff6a0ed98bb248f225bf24

Analysis

max time kernel
0s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05e4420dfc79226b34b0f7e3d1a65f1.exe
Size

3.1MB
MD5

f05e4420dfc79226b34b0f7e3d1a65f1
SHA1

95c5fc288a628e2fba01879b0dbe0dbbd79ae74f
SHA256

bd887a31360a06cf6094b3b889bf7ec9d835c9642bff6a0ed98bb248f225bf24
SHA512

d427c45f260e9bd38fa5a843c4eeff5482c102ace9b3f083ce015e9ce303dd9c481b70a715764c3cec16c6dc0246ad66f251197945f52a13e4e5eab77542ce38
SSDEEP

98304:qw3BM5HPz7UtPTkJY58taa7RTBQl50HeaCdRd9zojPGuH:qw3EHPzOTkJYla7RTBQl509CdRd9zojH

Score

10^/10

asyncrat gcleaner onlylogger redline sectoprat socelars default liez upd infostealer loader rat stealer trojan

Malware Config

Extracted

Family

redline

Botnet

UPD

185.215.113.45:41009

Extracted

Family

gcleaner

g-prtnrs.top

g-prtrs.top

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

whiteshadows.ddns.net:9731

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
microsoft 2.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

Liez

liezaphare.xyz:80

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/3160-137-0x0000000004A10000-0x0000000004A2E000-memory.dmp	family_redline
behavioral2/memory/3160-134-0x0000000002540000-0x0000000002560000-memory.dmp	family_redline
behavioral2/memory/4216-159-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3160-137-0x0000000004A10000-0x0000000004A2E000-memory.dmp	family_sectoprat
behavioral2/memory/3160-134-0x0000000002540000-0x0000000002560000-memory.dmp	family_sectoprat
behavioral2/memory/4216-159-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023221-16.dat	family_socelars

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3160-131-0x0000000000690000-0x0000000000790000-memory.dmp	asyncrat
behavioral2/memory/2156-92-0x00000000003B0000-0x00000000003C2000-memory.dmp	asyncrat

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/1804-135-0x00000000004D0000-0x00000000004FE000-memory.dmp	family_onlylogger
behavioral2/memory/1804-130-0x0000000000400000-0x0000000000477000-memory.dmp	family_onlylogger
behavioral2/memory/1804-174-0x0000000000400000-0x0000000000477000-memory.dmp	family_onlylogger

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4212	1804	WerFault.exe
4872	1804	WerFault.exe
5016	1804	WerFault.exe
2476	1804	WerFault.exe
4296	1804	WerFault.exe	36
4388	1804	WerFault.exe	36
5052	1804	WerFault.exe	36
512	1804	WerFault.exe	36
4904	1804	WerFault.exe	36
4600	1804	WerFault.exe	36

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2380	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2268	timeout.exe

C:\Users\Admin\AppData\Local\Temp\f05e4420dfc79226b34b0f7e3d1a65f1.exe
"C:\Users\Admin\AppData\Local\Temp\f05e4420dfc79226b34b0f7e3d1a65f1.exe"
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\updatenew.exe
  "C:\Users\Admin\AppData\Local\Temp\updatenew.exe"
  2⤵
  PID:3160
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1012
    3⤵
    - Program crash
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1172
    3⤵
    - Program crash
    PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1164
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1348
    3⤵
    - Program crash
    PID:512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1472
    3⤵
    - Program crash
    PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1036
    3⤵
    - Program crash
    PID:4600
- C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe
  "C:\Users\Admin\AppData\Local\Temp\NGlorySetp.exe"
  2⤵
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\microsoft 2.exe
  "C:\Users\Admin\AppData\Local\Temp\microsoft 2.exe"
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5999.tmp.bat""
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Roaming\microsoft 2.exe
      "C:\Users\Admin\AppData\Roaming\microsoft 2.exe"
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsoft 2" /tr '"C:\Users\Admin\AppData\Roaming\microsoft 2.exe"' & exit
    3⤵
    PID:432
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  PID:3260
- C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
  "C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe"
  2⤵
  PID:224
- C:\Users\Admin\AppData\Local\Temp\Chrome3 2.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome3 2.exe"
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
  "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
  2⤵
  PID:232
- C:\Users\Admin\AppData\Local\Temp\askinstall54.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall54.exe"
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\3002.exe
  "C:\Users\Admin\AppData\Local\Temp\3002.exe"
  2⤵
  PID:2796

C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 792
1⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1804 -ip 1804
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 800
1⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1804 -ip 1804
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 876
1⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1804 -ip 1804
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 964
1⤵
- Program crash
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1804 -ip 1804
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
C:\Users\Admin\AppData\Local\Temp\GLKbrow.exe
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1804 -ip 1804
1⤵
PID:2296

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1804 -ip 1804
1⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "microsoft 2" /tr '"C:\Users\Admin\AppData\Roaming\microsoft 2.exe"'
1⤵
- Creates scheduled task(s)
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1804 -ip 1804
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1804 -ip 1804
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1804 -ip 1804
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/224-126-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/224-163-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/224-93-0x0000000000FE0000-0x0000000001048000-memory.dmp

Filesize
416KB

Download
memory/224-100-0x0000000005860000-0x00000000058D6000-memory.dmp

Filesize
472KB

Download
memory/224-109-0x0000000005820000-0x000000000583E000-memory.dmp

Filesize
120KB

Download
memory/224-104-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/224-122-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/232-43-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/232-128-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/232-56-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1204-170-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1804-135-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/1804-174-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1804-129-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1804-130-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2096-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2096-125-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2096-0-0x0000000000670000-0x0000000000984000-memory.dmp

Filesize
3.1MB

Download
memory/2156-97-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2156-146-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/2156-153-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2156-148-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/2156-92-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2464-55-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/2464-72-0x00007FFBCDC70000-0x00007FFBCE731000-memory.dmp

Filesize
10.8MB

Download
memory/2464-145-0x00007FFBCDC70000-0x00007FFBCE731000-memory.dmp

Filesize
10.8MB

Download
memory/3160-137-0x0000000004A10000-0x0000000004A2E000-memory.dmp

Filesize
120KB

Download
memory/3160-136-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/3160-142-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

Filesize
240KB

Download
memory/3160-138-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3160-134-0x0000000002540000-0x0000000002560000-memory.dmp

Filesize
128KB

Download
memory/3160-133-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3160-143-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download
memory/3160-178-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3160-144-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/3160-141-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/3160-139-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3160-132-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3160-181-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3160-131-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/3160-140-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/3160-180-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3932-158-0x00007FFBCDC70000-0x00007FFBCE731000-memory.dmp

Filesize
10.8MB

Download
memory/3932-124-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3932-117-0x00007FFBCDC70000-0x00007FFBCE731000-memory.dmp

Filesize
10.8MB

Download
memory/3932-121-0x00000000029D0000-0x00000000029EE000-memory.dmp

Filesize
120KB

Download
memory/3932-106-0x0000000000A40000-0x0000000000A68000-memory.dmp

Filesize
160KB

Download
memory/4216-164-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4216-165-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4216-159-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4216-183-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads