asyncrat | 832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P.O.exe
Size

480KB
MD5

2eff738980e22cf3f48b9cf8b78663ac
SHA1

419d1ae415f048372bc9fbb99f7a050f0f7f88e5
SHA256

832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896
SHA512

7d4973802a0615d6f64a1941f38f6d12d01b49315b07ddbc157261b32572745ae4bc07a9ff3d780596ed1f6bc9c873ffef20e8842d572dadbaea5e6d68964e3f
SSDEEP

12288:j50R0MugiOXNbIxUTcKtt904GBfo3Jqlpjg:jyOMugiOCxUAitQu3Jqb

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

185.222.58.40:1978

Mutex

qmwtmuxejofbqhzba

Attributes

delay
5
install
true
install_file
windocv.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 6 IoCs

pid	Process
1812	windocv.exe
488	windocv.exe
1292	windocv.exe
356	windocv.exe
1640	windocv.exe
1448	windocv.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	cmd.exe
2044	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 2088	2480	P.O.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2840	schtasks.exe
2972	schtasks.exe
268	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2904	timeout.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2480	P.O.exe
2480	P.O.exe
2480	P.O.exe
2480	P.O.exe
2704	powershell.exe
2088	P.O.exe
2088	P.O.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
1812	windocv.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	P.O.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2088	P.O.exe
Token: SeDebugPrivilege	1812	windocv.exe
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2704	2480	P.O.exe	28
PID 2480 wrote to memory of 2704	2480	P.O.exe	28
PID 2480 wrote to memory of 2704	2480	P.O.exe	28
PID 2480 wrote to memory of 2704	2480	P.O.exe	28
PID 2480 wrote to memory of 2840	2480	P.O.exe	30
PID 2480 wrote to memory of 2840	2480	P.O.exe	30
PID 2480 wrote to memory of 2840	2480	P.O.exe	30
PID 2480 wrote to memory of 2840	2480	P.O.exe	30
PID 2480 wrote to memory of 2716	2480	P.O.exe	32
PID 2480 wrote to memory of 2716	2480	P.O.exe	32
PID 2480 wrote to memory of 2716	2480	P.O.exe	32
PID 2480 wrote to memory of 2716	2480	P.O.exe	32
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2480 wrote to memory of 2088	2480	P.O.exe	33
PID 2088 wrote to memory of 2972	2088	P.O.exe	34
PID 2088 wrote to memory of 2972	2088	P.O.exe	34
PID 2088 wrote to memory of 2972	2088	P.O.exe	34
PID 2088 wrote to memory of 2972	2088	P.O.exe	34
PID 2088 wrote to memory of 2044	2088	P.O.exe	36
PID 2088 wrote to memory of 2044	2088	P.O.exe	36
PID 2088 wrote to memory of 2044	2088	P.O.exe	36
PID 2088 wrote to memory of 2044	2088	P.O.exe	36
PID 2044 wrote to memory of 2904	2044	cmd.exe	38
PID 2044 wrote to memory of 2904	2044	cmd.exe	38
PID 2044 wrote to memory of 2904	2044	cmd.exe	38
PID 2044 wrote to memory of 2904	2044	cmd.exe	38
PID 2044 wrote to memory of 1812	2044	cmd.exe	39
PID 2044 wrote to memory of 1812	2044	cmd.exe	39
PID 2044 wrote to memory of 1812	2044	cmd.exe	39
PID 2044 wrote to memory of 1812	2044	cmd.exe	39
PID 1812 wrote to memory of 2876	1812	windocv.exe	40
PID 1812 wrote to memory of 2876	1812	windocv.exe	40
PID 1812 wrote to memory of 2876	1812	windocv.exe	40
PID 1812 wrote to memory of 2876	1812	windocv.exe	40
PID 1812 wrote to memory of 268	1812	windocv.exe	47
PID 1812 wrote to memory of 268	1812	windocv.exe	47
PID 1812 wrote to memory of 268	1812	windocv.exe	47
PID 1812 wrote to memory of 268	1812	windocv.exe	47
PID 1812 wrote to memory of 488	1812	windocv.exe	41
PID 1812 wrote to memory of 488	1812	windocv.exe	41
PID 1812 wrote to memory of 488	1812	windocv.exe	41
PID 1812 wrote to memory of 488	1812	windocv.exe	41
PID 1812 wrote to memory of 356	1812	windocv.exe	45
PID 1812 wrote to memory of 356	1812	windocv.exe	45
PID 1812 wrote to memory of 356	1812	windocv.exe	45
PID 1812 wrote to memory of 356	1812	windocv.exe	45
PID 1812 wrote to memory of 1292	1812	windocv.exe	44
PID 1812 wrote to memory of 1292	1812	windocv.exe	44
PID 1812 wrote to memory of 1292	1812	windocv.exe	44
PID 1812 wrote to memory of 1292	1812	windocv.exe	44
PID 1812 wrote to memory of 1640	1812	windocv.exe	43
PID 1812 wrote to memory of 1640	1812	windocv.exe	43
PID 1812 wrote to memory of 1640	1812	windocv.exe	43
PID 1812 wrote to memory of 1640	1812	windocv.exe	43
PID 1812 wrote to memory of 1448	1812	windocv.exe	42
PID 1812 wrote to memory of 1448	1812	windocv.exe	42
PID 1812 wrote to memory of 1448	1812	windocv.exe	42

C:\Users\Admin\AppData\Local\Temp\P.O.exe
"C:\Users\Admin\AppData\Local\Temp\P.O.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iYZWyW.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iYZWyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp535E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\P.O.exe
  "C:\Users\Admin\AppData\Local\Temp\P.O.exe"
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\P.O.exe
  "C:\Users\Admin\AppData\Local\Temp\P.O.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'windocv"' /tr "'C:\Users\Admin\AppData\Roaming\windocv.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9453.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2904
  - - C:\Users\Admin\AppData\Roaming\windocv.exe
      "C:\Users\Admin\AppData\Roaming\windocv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iYZWyW.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        
        PID:488
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        
        PID:1448
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        
        PID:1640
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        
        PID:1292
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        
        PID:356
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iYZWyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6E7.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp535E.tmp

Filesize
1KB

MD5
65d40d2af016700f6366991cde91deb1

SHA1
fe28000593bf6cc2dbf2d79e6748e39b7c7efa3a

SHA256
ac1d683b9805045333996a096df0ff65ba30d7752db646769a2e88965d195aaa

SHA512
9443d2f930baa93834ab6c6240fa935aeec55546f61ccf7ec5eed2bc149b9eea8109f2b9a6d90281108bd92f73ea0aff97ac53c101688c2b3be2ba3cc1da5f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9453.tmp.bat

Filesize
151B

MD5
7a1ffcc1e5adbaa35cbf396867073755

SHA1
2b98d94dab6543067aeea1478ceedfcec4ce5bff

SHA256
0ce1311404329254fd9cf045d239ca38441b265ece9e07552ba58dd343e8fa3d

SHA512
341e5968aa8e3490ee9616a86e758c5ae7e2b9017cdea48c95b2b18f074e9f0e8acc98811c9de6c123c85e5fe98d209ca01a791fcb232f7645053656687fc185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HH3MR5IEC2MA73DQBCRG.temp

Filesize
7KB

MD5
546bd8c8ca15a6b94e2e7c9f7fa5baa6

SHA1
c3662e0649eee7c42cf4bfcb603d19f1e4e998c0

SHA256
49c1686f3ffb17fe5600885acd642ab6fceddc6ab80d5dfce6a10dc67b33cafa

SHA512
81c2e12ace4a2440e80edba7998d7f034d55bc66cad26245140c8e6f392d48a72e98bba6218672fae6933647a15d9202559f222a3fa0f7ae616b9eaa74fab051

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
5.2MB

MD5
aa57a3e84a2e4042fac1e8cd53848373

SHA1
19d2581cc74d8860f93036ff560a42a75a27a9a8

SHA256
e97a204036e6ef5d5349ba2324779c98a17239a1b08acb5dc23fdc2cc6a96c11

SHA512
836ea747426bb4ffb988bd213e04f3551a95b7fc8732bef8d1e2ebfd19ad967b066bfe3cd846609b3665b43d3ac27a650f6a40e76a9c3bc6b4d4e61740cef266

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
6.2MB

MD5
d653d06bb56fd08bccfb825a8bafbb16

SHA1
aa0e42987a8e3b800742cb8308e14ddf8b77f787

SHA256
43c84564736915d92e7f6440e23a847f3f312bc324f9a1d78c0082d3ca953256

SHA512
06e2771298013e8f76faea0049c04c02dd2cf51dc4a5728ddac05890390b02fbbd6e173ea3f5f1c93c5cd04b8360808f6cd4f4fe8fc283216399acae3f1b1232

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
814KB

MD5
12ddcdb9d008543a241b2f25d19f0f27

SHA1
dac794c0753783331faba71c43f90da03a0952f6

SHA256
6b648ba102a9a1cdf54d4951b41e67b60d81d476134fd1f0619d612028300e4f

SHA512
e3be5b4e45c53932d64ff81cb9817087cdd50b436323b627c648734f457fa03dbdbaf7dcf731addf0e2039f910b0a9ed989fa40fc63f3d54c2f4e9b5f1b7deec

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
969KB

MD5
2aeb7d8559d4b435266391e70e89c498

SHA1
ce7f6c85454a8984ea7b4039c21ec17c8811271a

SHA256
2f3890df3627bc0f6e825895af0c5bfef8b7d193cbcf8c1a6dd3ff9999e1a468

SHA512
afa1998ee439c0797f25e46b07cbd7520daeade4afcffcf4ec54332663928306ea70de90b747d0daac96e75083d0441a6a37735b0548e50368053f8d22645a15

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
1.0MB

MD5
def9968a5becbdc1482dac77e36fa232

SHA1
526b21837694601008a671476cd21bab103a2a93

SHA256
f5c65239ca4983a908bd988a7d096f4fc244a610449fd157ae7a4358273127b4

SHA512
cc32a376a6b41f87a1801428a27821044ad98dce3b072ad41c07fefcd2bcff5d232b7ecce5690f3b4ba8bec6dbea1f166253680ecc2dbef7d77f6d53b4a8ff02

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
657KB

MD5
1e933011c4d610a4605e4b9d7dd2d937

SHA1
9c9e6621c1a2d734fe7fb959c8c4ff9c06837dbb

SHA256
60813fe4872c26e1bad16630497db2b8caee033a8c5547c42156d1ca89d18a35

SHA512
8d09376c1cc0ab8090c981209fc47139fe23a3f9fe4b1f47f9f7a445fa5cfd59597a19882194b1056a9bd1498b3e62e0d57d7683309fdbaf5002c27e36daa54d

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
672KB

MD5
9f6afe97a9751894aff453fde0d97f39

SHA1
aec695d61497156f08e5d188a190a82a34ed48b8

SHA256
f0eca38da00ae76e768a613160d0d5efa9120ca056175793113e3c21edfb0f1a

SHA512
cf5c80b45a0c592872c62d106ffed861a5d66fb6a030cba801a2b3f0eb0dfdedaff201646dbd1c21c4b2b30f13bebd3bfe718d8c6a8b04ebee85110de4076c0a

Download Submit
\Users\Admin\AppData\Roaming\windocv.exe

Filesize
4.7MB

MD5
def722eede7da6c0cf117215adb2478b

SHA1
ea6fff1a32fbb1b5ab9bb6f9cefd698f7389c391

SHA256
0b7db4300d7f8a23995ea17c86424b01f83a5c4797d0634cb73d2a1464f43287

SHA512
f6814f5462e3d74e65c661664b9e0b823b7cd9e31b7d53dbb3f570ccfb6bcdfcc7692fcd8ff1bf0ef85715e8adbf06dc458dee9c270dec158a5cc07c9b75e64b

Download Submit
\Users\Admin\AppData\Roaming\windocv.exe

Filesize
5.2MB

MD5
f18e416bc2161c983aced5944d746932

SHA1
fb07a81a1933bc502f5aff2e2a3166e80cfe52f1

SHA256
b8ff5c8a323d0aaf892d0a643e79f11e05c8570951298d51cc70bb6a091231eb

SHA512
08bba88a0749b31a52c226c12f5db8d75aae1377c3ac1f947f5ab976a2415ab6788b130bc17ee8067bcefae91ae0ad9f05385a8ebbee66b58e8eb597e8e9eec6

Download Submit
memory/1812-67-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1812-51-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1812-52-0x00000000003F0000-0x000000000046E000-memory.dmp

Filesize
504KB

Download
memory/1812-53-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/2088-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-35-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2088-46-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2480-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2480-5-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/2480-2-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/2480-4-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/2480-0-0x0000000001130000-0x00000000011AE000-memory.dmp

Filesize
504KB

Download
memory/2480-6-0x0000000004ED0000-0x0000000004F24000-memory.dmp

Filesize
336KB

Download
memory/2480-3-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2480-26-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-33-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2704-34-0x000000006E7D0000-0x000000006ED7B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-32-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2704-31-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2704-36-0x000000006E7D0000-0x000000006ED7B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-30-0x000000006E7D0000-0x000000006ED7B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-68-0x000000006F270000-0x000000006F81B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-69-0x0000000002E40000-0x0000000002E80000-memory.dmp

Filesize
256KB

Download
memory/2876-71-0x0000000002E40000-0x0000000002E80000-memory.dmp

Filesize
256KB

Download
memory/2876-72-0x0000000002E40000-0x0000000002E80000-memory.dmp

Filesize
256KB

Download
memory/2876-70-0x000000006F270000-0x000000006F81B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-73-0x000000006F270000-0x000000006F81B000-memory.dmp

Filesize
5.7MB

Download