asyncrat | 993e909e5060d07e3c21ca483b8dc2648bf50052124d300534f3885378aa7544

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
11/02/2024, 22:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RayzzCCGen.exe
Size

47KB
MD5

4e0b735658fa061371f03ac9d765acce
SHA1

298187f6e21045f4c2622b08f0b67ba2f554c163
SHA256

993e909e5060d07e3c21ca483b8dc2648bf50052124d300534f3885378aa7544
SHA512

7741da1d5e191a578bd4774255f112cb7bb52004f0ef0eeb66a12b6929add527dacb8c99efef71d834fbf3e6da4c11446a07b253f7d4ed8734ade415db34a137
SSDEEP

768:rM1TILIe8E+0YiyxDUiZc8YbNg6XaqN7AugGvEgK/J/ZVc6KN:rMrWRHzba+aqNMSnkJ/ZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

nabeellasdfasdf-52048.portmap.host:8080

nabeellasdfasdf-52048.portmap.host:52048

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
RAYZZCCGEN.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000002a788-10.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2572	RAYZZCCGEN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3988	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2104	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
1676	RayzzCCGen.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe
2572	RAYZZCCGEN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	RayzzCCGen.exe
Token: SeDebugPrivilege	2572	RAYZZCCGEN.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 4216	1676	RayzzCCGen.exe	77
PID 1676 wrote to memory of 4216	1676	RayzzCCGen.exe	77
PID 1676 wrote to memory of 3856	1676	RayzzCCGen.exe	79
PID 1676 wrote to memory of 3856	1676	RayzzCCGen.exe	79
PID 3856 wrote to memory of 2104	3856	cmd.exe	81
PID 3856 wrote to memory of 2104	3856	cmd.exe	81
PID 4216 wrote to memory of 3988	4216	cmd.exe	82
PID 4216 wrote to memory of 3988	4216	cmd.exe	82
PID 3856 wrote to memory of 2572	3856	cmd.exe	83
PID 3856 wrote to memory of 2572	3856	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RayzzCCGen.exe
"C:\Users\Admin\AppData\Local\Temp\RayzzCCGen.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAYZZCCGEN" /tr '"C:\Users\Admin\AppData\Roaming\RAYZZCCGEN.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "RAYZZCCGEN" /tr '"C:\Users\Admin\AppData\Roaming\RAYZZCCGEN.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D7D.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2104
- - C:\Users\Admin\AppData\Roaming\RAYZZCCGEN.exe
    "C:\Users\Admin\AppData\Roaming\RAYZZCCGEN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAYZZCCGEN.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D7D.tmp.bat

Filesize
154B

MD5
37920b99c49b5e4bed6e60fca1422cb0

SHA1
d5201647fb5090f8659d7897463c96a94538885a

SHA256
093712a7bfba4e5d596d31f06abf6ed01f39b9becb1251905880975c3f8e81ee

SHA512
cada763d20131dd914afcbc8aaa316b2dc5e00f4285d2e8f37db9ddcd6f761411bae34b19e08fe0f86512081955f79528ef9813e9ab96e55a6895fb5d8033709

Download Submit
C:\Users\Admin\AppData\Roaming\RAYZZCCGEN.exe

Filesize
47KB

MD5
4e0b735658fa061371f03ac9d765acce

SHA1
298187f6e21045f4c2622b08f0b67ba2f554c163

SHA256
993e909e5060d07e3c21ca483b8dc2648bf50052124d300534f3885378aa7544

SHA512
7741da1d5e191a578bd4774255f112cb7bb52004f0ef0eeb66a12b6929add527dacb8c99efef71d834fbf3e6da4c11446a07b253f7d4ed8734ade415db34a137

Download Submit
memory/1676-0-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/1676-1-0x00007FFDF9C00000-0x00007FFDFA6C2000-memory.dmp

Filesize
10.8MB

Download
memory/1676-2-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/1676-7-0x00007FFDF9C00000-0x00007FFDFA6C2000-memory.dmp

Filesize
10.8MB

Download
memory/2572-13-0x00007FFDF9C00000-0x00007FFDFA6C2000-memory.dmp

Filesize
10.8MB

Download
memory/2572-14-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download
memory/2572-15-0x00007FFDF9C00000-0x00007FFDFA6C2000-memory.dmp

Filesize
10.8MB

Download
memory/2572-16-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download