asyncrat | 11004be319514e886ed27a41905e3ef648c307c09219c77917986cf5b5a7665b

Analysis

max time kernel
1s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 10:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b33702216949b8afe8794ecfc2cf504.exe
Size

4.2MB
MD5

4b33702216949b8afe8794ecfc2cf504
SHA1

76e060bc70507789bb7dd9e3f68ee9f6a8e6718c
SHA256

11004be319514e886ed27a41905e3ef648c307c09219c77917986cf5b5a7665b
SHA512

7cc2ac87c0e5fc0eccfe06ed302da4c42cdbd392f3f2ed8ab53137a82745632906e5adb3fd6fbee4389b6df1bfb9a4b0850e6722331e800bd14df925b9cca5d9
SSDEEP

98304:X14Wq9ua3mHJJPF9d2SxuvtjWQXoB7RDcQ22ZRsFJITw8n7g:l4Wq9uAmfwSxuFjJ4txdRsFOy

Score

10^/10

asyncrat evasion rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 8 IoCs

rat

resource	yara_rule
behavioral2/memory/3952-4-0x0000000005AF0000-0x0000000005F30000-memory.dmp	asyncrat
behavioral2/memory/1944-28-0x0000000000360000-0x00000000003F2000-memory.dmp	asyncrat
behavioral2/files/0x0008000000023224-26.dat	asyncrat
behavioral2/files/0x0008000000023224-25.dat	asyncrat
behavioral2/files/0x0008000000023224-20.dat	asyncrat
behavioral2/files/0x000600000002323f-103.dat	asyncrat
behavioral2/files/0x000600000002323f-104.dat	asyncrat
behavioral2/memory/2468-106-0x0000000005A10000-0x0000000005A20000-memory.dmp	asyncrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2392	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
856	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4820	timeout.exe

C:\Users\Admin\AppData\Local\Temp\4b33702216949b8afe8794ecfc2cf504.exe
"C:\Users\Admin\AppData\Local\Temp\4b33702216949b8afe8794ecfc2cf504.exe"
1⤵
PID:3952
- C:\Users\Admin\AppData\LocalRtQvDmqDGH.exe
  "C:\Users\Admin\AppData\LocalRtQvDmqDGH.exe"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp614A.tmp.bat""
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4820
  - - C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe
      "C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows DeepSea" /tr '"C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"' & exit
    3⤵
    PID:4204
- C:\Users\Admin\AppData\LocalcvWDakIwue.exe
  "C:\Users\Admin\AppData\LocalcvWDakIwue.exe"
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
    3⤵
    PID:4292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3dc
1⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
1⤵
PID:876
- C:\Users\Admin\AppData\Roaming\WindowsApplication.exe
  "C:\Users\Admin\AppData\Roaming\WindowsApplication.exe"
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsApplication.exe" "WindowsApplication.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows DeepSea" /tr '"C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"'
1⤵
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalRtQvDmqDGH.exe

Filesize
2KB

MD5
4d9545766b42211458eabb81183111e3

SHA1
a5cef2384edafbc582df4d37656b09674e6dccc9

SHA256
c19f30fa9e0bb3e51f1bb036c19288067a6eabed7f72c72fc86f090c8c40b942

SHA512
b9e7732a14f8bb6a5796c83af1cd7869dc27b45b69212cbe071f8d61e8b29348c89ea751d05b7f6e6c6e6176969c3dc2de3e898f8174af777e3e73a70c96c81e

Download Submit
C:\Users\Admin\AppData\LocalRtQvDmqDGH.exe

Filesize
58KB

MD5
9a88421cef050646605428146f09ac92

SHA1
208869eebc3abd8f592f06129209b86590b71fdf

SHA256
f5fb3b5c5db0999877b956b42644678f72d1a1a9b1e27128e6842de07765d85f

SHA512
83112f17788b22053462f7d5c426c85236d1b1996ef0e856f863cfb364aa02d62033c78399f0fa8865c892486c4a1c691babd704b9199cc6fa72217614d8eaed

Download Submit
C:\Users\Admin\AppData\LocalRtQvDmqDGH.exe

Filesize
29KB

MD5
472e97cd7cf87df427309b2c0097b3a2

SHA1
e2c9684beb81e2f75b04096dc5e0823473f9cd58

SHA256
6a6387c9f02faeafc82177d4018f56ce176854c6fc07424dc30e64c586a658e1

SHA512
3fc9bc1d391c36d1d3749bf48c0aa5a76e2135a74347d95a1a8af2fd9adcf297e073d8280da15600d2d090e79c6b6e5f12fb32595c8fc358bd37da333b2a7806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
1KB

MD5
1b33ac02995fefc5544edbb7a9ddc076

SHA1
c41787a65d8d2f68af28b0597a8ff54e073badae

SHA256
453c3e0b7caad342e56f864750d4b9609912f780bbc9e6d694916c1b1a65b2a9

SHA512
63e3b63c148c80407cc00b6c658c3ac47895ddfef04793640da5679a9b17710a7e4f93edc3d1824e5f71d8cdbd56b6c087f719fbfa7ace9a0d4f1d04dd72a7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
29KB

MD5
e1d172ada0096b936fc1b231ea23d788

SHA1
fed9ef5cdf0f6bde3aee226bc29919461cbc85f1

SHA256
8608b3b71c3d700f6b176386c57a67b9a208eddd072d1b90dba03d0c43d26960

SHA512
df3d51e510cf81f95f169193da9d129efeedc8e74d66f5d7e5af161020e55584ef4c97583807f463e47de1a977a53418846a6458990b17600168157342532134

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
28KB

MD5
78fddbf5c50b133028dbd86daead7d0f

SHA1
aafa1f946115fac7d2d2205776d06d03148cbec8

SHA256
bd6ecd7298002d64cf1c367dbec511958bcc7f7e55494f6974e1ff444299be02

SHA512
0b7e6f0a1e1d6c3f87bc3acdbeed9c3d3c8508e65ec7955f30f00a8bad87c81c19040da229c8c640ca9f8f086361b4a0773f2a57814ed474968647aa42a0a476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
1KB

MD5
a34ec1aae7b7b4abe411db3e7da305c9

SHA1
c384812885777c162df0ba673d88e4e7607a7bed

SHA256
8e6216b11a72bc3e80ac239d43c93b50ed21d5540fa314cefffb86e789dcebac

SHA512
5e483cf2a7800a9e17417b71fc52d5d6d39c2206bc7bfe55eb2f825961fa228a2f6d79dd781a5b26c18949eb337e6d7ac14c4d8a44c5271a62ab5dcbe40f390e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
11KB

MD5
471ea64c6107039d46bcb672fefc8121

SHA1
8b8abf5d78a5ab69c6931192fe542f07d666dd70

SHA256
c127b6f0d553e8ed7e168c391d35151b79d9dd9340263116d272b29648a06676

SHA512
59ef83f62ad1a54d485192c6f173609a16d7420960f5b9f87c5e3dd148038571cffce46fbf43c8493e80d030ec9e646d3ca93d14e40b207671b05d3c96bb52ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
20KB

MD5
44034dae6fe864f787799935b6ed7741

SHA1
6545669ff500e5ee527ea43197ef8ce66c0e2705

SHA256
6f715f613cd05325876974c2f1e6cae71c25d251ee304fbd1f1edfa690fd640b

SHA512
9c6de60f0b6876aaac4cde660a321e3f2f8c3e66f0632ed8392c11b19ab4b9c7a3188fcc1041cf4646ce172d0be2e4a2e4ff60d48ff995561922600479c2bc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
24KB

MD5
db63472898000ce5313e5011fe892560

SHA1
30524736d2cb0acc38a6365f4d2bc871599c2d9b

SHA256
773bbe27095870b6bc83be96d96198e2edf8ebd3d7c132dfe6275a603e1872f3

SHA512
f56d15589234ef3310270fcb63a2aa91075f34142e70831b954653a8ae757aeeb2bfcb4460ed6298990d27f4091f52d33fc46ff692dfa787e4e167bf5229737a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
46KB

MD5
ac1ac0c1f6cfe4a4d882436655c639c5

SHA1
cf253fff042b09292e34baf419dac63c162fceb4

SHA256
31e8afa2af828eb689ce3ebe0797d8bc7eaf7d5230fc80063c3019525b8fd1f5

SHA512
ac707d1691dac4618fd7a58cd5bf5bda25e155084bf3f1d0bc715225f026c0cba9a1029291fdf87391eba6cf2a4212924c3b134817806e6a6bfb8b0ac55d9ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
34KB

MD5
ac3a989d87ea82a770d65a0f538e234b

SHA1
ce8a0b4ef9b7475ca4b1c1e7dc98f5ef16770bc4

SHA256
fc691a7666b86c5be2fbcdcb1a88a4081a6a5bf08dfe6042a4b03ded69d5b008

SHA512
1c291dccf653fcd167fbc5a74554db9c66a7eccd0c037571f1284388036e6778cac9e5b728ec7ecccd218957518e40e37124d26a923709ab589811cd50c3a9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp614A.tmp.bat

Filesize
159B

MD5
6563092f768e77583753308ae9744200

SHA1
47bb7d2a3e0f32f4d48ce7d625957eed42f96764

SHA256
0fb797b1b9bf23ace0089667bfdf3c8d5b1cef573e74470a0bb3af1ed8542a38

SHA512
d4565cf5efe7335191eb082b2c794d37ac1438f00f634a0419b66cc8fbec5a18cfee793a1b8fd50c7aadec4c0e342bb32ab5f60c052e38aa8d1da8b224c15e94

Download Submit
C:\Users\Admin\AppData\LocalcvWDakIwue.exe

Filesize
9KB

MD5
18f72b9246ae0a97637c16a792b6299c

SHA1
a899a2328837a932c51b01cb3781d9439848918e

SHA256
1d133a2a9fccb7e5802ec5d64af25cbe7366df96e50af4c72f5dbab90a813cfe

SHA512
7c5f562f03d8a21dd0425828d306b795a762673147e49fe73396a0f17401bbf9d8070e30443c54469941d2b235cd674fdeee23a8dc10fd64991ef5bcde4d26cb

Download Submit
C:\Users\Admin\AppData\LocalcvWDakIwue.exe

Filesize
25KB

MD5
fb3642df773149b209b7ff5fff9d2708

SHA1
fa2cb365260f725f8e53bcb43ab597ca0872581f

SHA256
14c56f7fd4ff50033ede5948e57ec31af061f04121ac37724e5b1a6fd1320a15

SHA512
c0ff371906112aea16206a92a210a414f8aa9adebe9d6c5bd3ab43414cc603b8155c499dae7124f62e4c23207bab55b2bba1464cfcd08e1a6f3ece3526214930

Download Submit
C:\Users\Admin\AppData\LocalcvWDakIwue.exe

Filesize
33KB

MD5
2edcfbeea37e7002c13ef8c626bccf00

SHA1
3729ddc09722ef746605a13ded1704d06681835e

SHA256
495f79fb8ec6bb9c0c13809f5104e263d427c2a14c5eb3f8391f35784ed4375f

SHA512
7d6b3df867116893a6cb3d79c859e97305a9df4fd7c7d7516f4afb1e5b64d25ed7d98f588d6ace5eebe0d4f469892f8bc57d38b22422845d55db8e0192748cf6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe

Filesize
19KB

MD5
a984ec46f8f70d570b43c0648fd26c07

SHA1
2a126dd01eed448f63d050884de4b97ec6427832

SHA256
e96af69f851bcbffeaf93afcdfa60fe6b3105b66d3d520e829b13cc3eea6d006

SHA512
1bcd63bcfc8457a253703dd2e7b9940a22dc363293e37e90e0816dc986862f72f00d7d95b3835f99105a320f5559ce6e4a21b723f41608ccd7651cf5d02ddca1

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe

Filesize
29KB

MD5
c315bf0a2d4486b880514568e2890185

SHA1
32af13fa713319374b6f1c1797bc96151c5bd96f

SHA256
7437525feccf47e9138822482e36850bcf12df094fef413b34e8891361ae62d5

SHA512
973ce1731f09d734c149bfdfc7d698591c3b142a240eb4a038df1a877bd8c836d545ab1ffab53570001932652813ad93c9c01a23da55f7281261e2196490cfde

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsApplication.exe

Filesize
33KB

MD5
3c1b89a237201e0e13e7d413eba4decd

SHA1
f685f3a030ea3aceec922035bda7612b320486d8

SHA256
6548e65f3b95210af9493720a3b771c548632cbbc1fa93a272a73ac1f7e4d12e

SHA512
41707c5e05241bb0ce41916a948d2bd5f1970fec333b6d0d9fa422baf67933cc1c87d04d57774a1fece683daff56117d7258d9b8babb00e6ce99fcd4384b6001

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsApplication.exe

Filesize
13KB

MD5
0891c66bdd4225c83636418771bdf1aa

SHA1
f5889695321d4b04e3637279877d8b59449a94bd

SHA256
02c612bc189253fc1c266ea7b958e8c36382860640e5b877a1e04692115d055a

SHA512
858ca6a54ba1440c6abdb8bb827671e06bcce17a16a74a65217606bee8920e944b2904806fd221bfa9a5aa577acaf5fa82b5d994614abe7ea6e5565de6f3cc4d

Download Submit
memory/876-76-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/876-77-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/876-99-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/876-75-0x00000000006A0000-0x000000000072A000-memory.dmp

Filesize
552KB

Download
memory/876-78-0x0000000005060000-0x00000000050D6000-memory.dmp

Filesize
472KB

Download
memory/876-79-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/1944-41-0x0000000004BE0000-0x0000000004C46000-memory.dmp

Filesize
408KB

Download
memory/1944-54-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/1944-31-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-80-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/1944-86-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-28-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/2468-120-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2468-106-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/2468-105-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-2-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/3952-4-0x0000000005AF0000-0x0000000005F30000-memory.dmp

Filesize
4.2MB

Download
memory/3952-3-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/3952-0-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-1-0x0000000000A80000-0x0000000000EC8000-memory.dmp

Filesize
4.3MB

Download
memory/3952-32-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-100-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-101-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/4180-107-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/4180-118-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-119-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads