asyncrat | 201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398

General

Target

d224b20b8c858da3bac1c5fb9cd1c33b.exe
Size

310KB
MD5

d224b20b8c858da3bac1c5fb9cd1c33b
SHA1

e1d256a961662b1b45c23a2bfc4e4edf2d30b177
SHA256

201d93bf0cba57d6bf22201311f082c11dde20bf1269d5275539df14fd502398
SHA512

e281343bc2e0d197c21bc442aefb27526515807e3279f8fd9636aea19b6fbc1dd5a5be3038615c513d60568e0ea821ea6c080efce43d059e30032a93cc1190ba
SSDEEP

6144:BbiQqdJ052x8C2adFIYI906jqGFPkoh7Y0gJamWKw7eMT129ZW5sNdaYmOdhzStP:BbiQz52aC1sP906mG53h7c/RQ1p5C4LP

Score

10^/10

asyncrat zgrat default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:4217

146.70.161.85:4217

Mutex

dkhXL7HeeLRM

Attributes

delay
3
install
true
install_file
Colours.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2536-62-0x0000000001230000-0x00000000012CC000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2164-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2164-7-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2164-17-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2164-15-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2164-12-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2536-45-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2536-47-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2536-90-0x0000000000640000-0x0000000000680000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

Colours.exeColours.exe

pid process

2520 Colours.exe
2536 Colours.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2876 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2520	Colours.exe
2536	Colours.exe

pid	process
2876	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d224b20b8c858da3bac1c5fb9cd1c33b.exeColours.exe

description	pid	process	target process
PID 1920 set thread context of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 2520 set thread context of 2536	2520	Colours.exe	Colours.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2488 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2300 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d224b20b8c858da3bac1c5fb9cd1c33b.exe

pid process

2164 d224b20b8c858da3bac1c5fb9cd1c33b.exe
2164 d224b20b8c858da3bac1c5fb9cd1c33b.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d224b20b8c858da3bac1c5fb9cd1c33b.exeColours.exe

description pid process

Token: SeDebugPrivilege 2164 d224b20b8c858da3bac1c5fb9cd1c33b.exe
Token: SeDebugPrivilege 2536 Colours.exe

pid	process
2488	schtasks.exe

pid	process
2300	timeout.exe

pid	process
2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe
2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe

description	pid	process
Token: SeDebugPrivilege	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe
Token: SeDebugPrivilege	2536	Colours.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d224b20b8c858da3bac1c5fb9cd1c33b.exed224b20b8c858da3bac1c5fb9cd1c33b.execmd.execmd.exeColours.exe

description	pid	process	target process
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 1920 wrote to memory of 2164	1920	d224b20b8c858da3bac1c5fb9cd1c33b.exe	d224b20b8c858da3bac1c5fb9cd1c33b.exe
PID 2164 wrote to memory of 2676	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2676	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2676	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2676	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2876	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2876	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2876	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2164 wrote to memory of 2876	2164	d224b20b8c858da3bac1c5fb9cd1c33b.exe	cmd.exe
PID 2676 wrote to memory of 2488	2676	cmd.exe	schtasks.exe
PID 2676 wrote to memory of 2488	2676	cmd.exe	schtasks.exe
PID 2676 wrote to memory of 2488	2676	cmd.exe	schtasks.exe
PID 2676 wrote to memory of 2488	2676	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 2300	2876	cmd.exe	timeout.exe
PID 2876 wrote to memory of 2300	2876	cmd.exe	timeout.exe
PID 2876 wrote to memory of 2300	2876	cmd.exe	timeout.exe
PID 2876 wrote to memory of 2300	2876	cmd.exe	timeout.exe
PID 2876 wrote to memory of 2520	2876	cmd.exe	Colours.exe
PID 2876 wrote to memory of 2520	2876	cmd.exe	Colours.exe
PID 2876 wrote to memory of 2520	2876	cmd.exe	Colours.exe
PID 2876 wrote to memory of 2520	2876	cmd.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe
PID 2520 wrote to memory of 2536	2520	Colours.exe	Colours.exe

C:\Users\Admin\AppData\Local\Temp\d224b20b8c858da3bac1c5fb9cd1c33b.exe
"C:\Users\Admin\AppData\Local\Temp\d224b20b8c858da3bac1c5fb9cd1c33b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\d224b20b8c858da3bac1c5fb9cd1c33b.exe
"C:\Users\Admin\AppData\Local\Temp\d224b20b8c858da3bac1c5fb9cd1c33b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\Colours.exe
"C:\Users\Admin\AppData\Roaming\Colours.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Colours" /tr '"C:\Users\Admin\AppData\Roaming\Colours.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Colours" /tr '"C:\Users\Admin\AppData\Roaming\Colours.exe"'
1⤵
- Creates scheduled task(s)
PID:2488

C:\Users\Admin\AppData\Roaming\Colours.exe
"C:\Users\Admin\AppData\Roaming\Colours.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65AB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp.bat

Filesize
151B

MD5
f18bf23da94ec4311922e8c40d40fcd7

SHA1
4f3fb05a1265feb2a7413176f133e55517432c92

SHA256
6f00247406d126d789fff46bc1011dbb91af0f2ac99e7de8c4d715c766326d4f

SHA512
1c7b31718fd1823c9be0511b4ae12116a495a2c0628d460cfcac5b8eb112da2fe4a0a8778ae3824b0a83225b365f7eae9675538de13e5b289ec5ee8ee2d51471

Download Submit
C:\Users\Admin\AppData\Roaming\Colours.exe

Filesize
185KB

MD5
47daebec0adbddce3a4f50a11f3fe1a7

SHA1
da00b9f1d6929d95e9f0ff84abd4eda23690f610

SHA256
04021c1eda254045b28e30b303d0795ff6bcce428003441d7190f3a1dd6a68df

SHA512
5a381cdfb09d130bab78826e70941fe084985fb579dc4c31f6991f2e4aa456123d61afa7a0bce00295e1b77e96358932e9ed13bfdc68908d5bcb34ef41a0d175

Download Submit
C:\Users\Admin\AppData\Roaming\Colours.exe

Filesize
108KB

MD5
9765edc067be3de5f1a19ac83e3096da

SHA1
48041d7ddcb2e221409835f944a07b2f74905ab0

SHA256
0187eb554d779c59e19256867ed9190b61a36bf8f97ee73b49771aabdf4e78c2

SHA512
a5f02a774967b4fd46863f6c8a32d1aa73de45e00123a4eb7977ad11cefcfb4f1540175f13c8f4f645ea725a586966239f53fc827af067498d2896056597aa34

Download Submit
C:\Users\Admin\AppData\Roaming\Colours.exe

Filesize
77KB

MD5
210dcfa4bbb48f9486ffeb2d72116f86

SHA1
2cb5d071db225aca4946612581b0e53ba0414f2c

SHA256
2ddaec5e245068f0e9d752d15e4a5ba4f6b218130b006ab966683daeb29a57cb

SHA512
cc3ff2875e4d359a765bd98ba00c358563be49c95a0b1afb755ba6de27a1326953b33bf1d9f0ec8d25b9dcfe9753af547ed611923a9cce84f49f5a7571e5a750

Download Submit
\Users\Admin\AppData\Roaming\Colours.exe

Filesize
232KB

MD5
4044bcf2532dbef9e710164b7c57ae48

SHA1
863d52c0aa34ed9a0cef26f136dc096acc8a54ee

SHA256
a459ecdbf555eb13e43d166d3163e6fd7c997be2c87792faf9f0ae83af5b1c57

SHA512
690a2cc809dd0e93e211f1a870bd3139a39fa7fdbe555ed2549425c479932e9fbb0d47a2eea01f5a8a6948b749d1a00c63dffe55d7878699f1c91b7594408e31

Download Submit
memory/1920-3-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/1920-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-2-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/1920-14-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-0-0x0000000001340000-0x0000000001394000-memory.dmp

Filesize
336KB

Download
memory/2164-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-19-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download
memory/2164-18-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-29-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2164-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2520-44-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-33-0x00000000013E0000-0x0000000001434000-memory.dmp

Filesize
336KB

Download
memory/2520-34-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-48-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-49-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/2536-62-0x0000000001230000-0x00000000012CC000-memory.dmp

Filesize
624KB

Download
memory/2536-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2536-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2536-88-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/2536-87-0x0000000000D20000-0x0000000000D60000-memory.dmp

Filesize
256KB

Download
memory/2536-89-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-90-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads