asyncrat | b729cb7c7d368f60162b4ad181b3e124e22c846923afc40fe021cf2e85d0a8dd

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe
Size

21.0MB
MD5

61a9118bcc03f7f44a6737ac3460d5a3
SHA1

b8505dba60bbc9db5a2f186394ca7aa729b0a130
SHA256

b729cb7c7d368f60162b4ad181b3e124e22c846923afc40fe021cf2e85d0a8dd
SHA512

edfb14423ffbfd7bbbb1ac51095daba7d02ebcb9364396308ab9b006a872daa2962ba28d08c7985651174940c0336a1b7dcd8edf55b9ee039c88988c96a3656c
SSDEEP

196608:1r4hfG1SXQxqlxR5PxcGpH5vsVaN6sEzfntkE7UO8MWBT4Ti9:544MX1lf5+2H8aNmTntkE9xmv9

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

koradon.giize.com:6606

Mutex

vomsklihddikoeyxag

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2068	vmtoolsd.exe
2560	vmtoolsd.exe

Loads dropped DLL 14 IoCs

pid	Process
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2068	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
49	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 2060	2560	vmtoolsd.exe	101
PID 2060 set thread context of 1244	2060	cmd.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325\Blob = 03000000010000001400000078e50262e8c47571fb82d5063a6c9bd91bb8a325140000000100000014000000ef4c0092a6fb762e5e95e2c95f871b19d54de2d904000000010000001000000003f6e71fa4328959fc11dbda6e2594a00f0000000100000030000000effb32d2d626fdd3cedd8f30be7db5bedc8f636cb1eb2b41256bf77805094c42d35fa47f4ec6029a846c8ccb1c691438190000000100000010000000dfd7f624560e51db4e9ed98d584f0a405c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000004e0600003082064a30820432a003020102021100835b7615206d2d6e097e0b6e409fefc0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3232313131363030303030305a170d3332313131353233353935395a3044310b300906035504061302555331123010060355040a1309496e7465726e6574323121301f06035504031318496e436f6d6d6f6e20525341205365727665722043412032308201a2300d06092a864886f70d01010105000382018f003082018a028201810089f05cc438bad03457af9755a0f42243fc3e18113adb6d7a52210631d6d4b7b7928886858ff899ff1885a29d2b5ae1f8042149de44af405f9a22112c3a7b9747a995892a54c79dc733902923314855b7781aa63ab60c1a3f3bbf5d123fe039b3fa1a0b5bf8bfcc3d7d897bd2f79a9f354f2a3fbff7fd449fdbf54d494366b8c2a5691830928bae7b4bac89d60aed5f16df37bead316f591d89b5628d4c89dc372583dc6855cbfec6d3d3f04c0bbb874aaa4724e41132dffb3ec55ad73c735d9ff927ef98a1ca155a8aa4d3ed80c92bc2ac1a3a038e0f8434d008a1553f94cc9e8c9a134f1a0fbf5dfd016af9972821834efe6ecd078e743df9a3f670d7a5780b8278b688f558b63b864561af3286f945898929fc1efddd5138f87649de241350ad47dc21f4c7577802b4ac179f57979abc611feb56bbd455c2c0de8111b4b36f0e31d55e3b096366f62b5234689aeb4d3b91b3ca7bde5712550a7dc26e7eda7382fee6fc0f360b34e0374e006ccd61d1b9b7aaf2c983e8b122c7d81f2a0cdcf10203010001a38201703082016c301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414ef4c0092a6fb762e5e95e2c95f871b19d54de2d9300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202673008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010026800d34e41eae22beaf3ea6e284f9c6b725b1f7db2fa875c26a82acc3b6ce5b82c6a906cc11632a639972de975d50d94eb0af24a57652230510d9f0087c34eb3ce40e8c28940b694f6a1f34721bac365104f3470c76b1e637d0c92cdd97487bdae3b39ac46258883a1f43c32f305132715f39987ff0351a4a78249a74c48842551d60092397e495bad7ce64c22776e366ec2e6d2f09004003fad0831bcba48b59842f544bfaf7de582d5ff7181730788c639df97b36b04014946caef20acba2162192058dea1ab2a0574ea66ae5f32bbb092195ee099541ff6f8b05410c82a6fb6ccb0e8fe7851924f3103405bd41a8fcf26cf112495878cb9ad9e5bcc1e0ba3660dd3ad4757df870e79c80c17df34889c00276fe091b219fa5b4bac6c8b7502375e72a5a1b8dcf26a4345270500ee47ad22a3502979236462191a1d0f5393fd02e00f84337316fca16e539dde1cb5655fdb2cd621b60097d592d699da5fd26d8ee9cbc25460c90bfe3a990518cd903eacaec9a927abad50c98096dee6d7e7135fcebf54405ce43a7d55fb83ea135b34a0d283b631c8455a06a044b4de5da698f8c52882aece8bc4b1e7368deb1bc54945f35541d8056cc6fb74e201a24925cdf994ebd952d24832cf6999309996d86fe184475d74958787715c2e2d8c69e622395445acb1ed26f5c475fd9a11a6742ce6f65e8df33ba049be35e576fdb0a0d	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
396	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe
396	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe
2068	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2560	vmtoolsd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe
2060	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2560	vmtoolsd.exe
2060	cmd.exe
2060	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	MSBuild.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2068	396	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe	98
PID 396 wrote to memory of 2068	396	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe	98
PID 396 wrote to memory of 2068	396	SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe	98
PID 2068 wrote to memory of 2560	2068	vmtoolsd.exe	100
PID 2068 wrote to memory of 2560	2068	vmtoolsd.exe	100
PID 2068 wrote to memory of 2560	2068	vmtoolsd.exe	100
PID 2560 wrote to memory of 2060	2560	vmtoolsd.exe	101
PID 2560 wrote to memory of 2060	2560	vmtoolsd.exe	101
PID 2560 wrote to memory of 2060	2560	vmtoolsd.exe	101
PID 2560 wrote to memory of 2060	2560	vmtoolsd.exe	101
PID 2060 wrote to memory of 1244	2060	cmd.exe	111
PID 2060 wrote to memory of 1244	2060	cmd.exe	111
PID 2060 wrote to memory of 1244	2060	cmd.exe	111
PID 2060 wrote to memory of 1244	2060	cmd.exe	111
PID 2060 wrote to memory of 1244	2060	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Malware-gen.6815.27736.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
  C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe
    "C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\273d5c9c

Filesize
721KB

MD5
20617b0336b322f2682dc10035e5ddd5

SHA1
c58b3519953589c6bdbb3153e658b8af1dd6b499

SHA256
8c27dc052f43866a849ff34cfb59a791bd1212aaba09664915447c4a4a75a18a

SHA512
808cd62a292cb5438c3183e209d22a6818a67d44feb7c8026da669eef37eb5e421e4a98e754e1c52d60f379a044695be567bb59ef89de1ef64915ba0fe922974

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\cadmium.msg

Filesize
548KB

MD5
f704b059f4e8813ed16c0e7329d934b8

SHA1
70e3d68e61d9f964a377b8d18bc56b534efdd370

SHA256
cc509929db978495f737a46b34395e288fad07541d4f4fa2e2377a933785e449

SHA512
65d38a3721d18afafeee9b18cb2060cbccc15c81205d39238fba7e4c5af7f6e802d38a9bd10a3095d54b85d59ddd8c2829e72ada5bad0e570d6e93a7b5a1f80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\glib-2.0.dll

Filesize
1.0MB

MD5
2c86ec2ba23eb138528d70eef98e9aaf

SHA1
246846a3fe46df492f0887a31f7d52aae4faa71a

SHA256
030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

SHA512
396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gmodule-2.0.dll

Filesize
24KB

MD5
b0a421b1534f3194132ec091780472d8

SHA1
699b1edc2cb19a48999a52a62a57ffc0f48f1a78

SHA256
2d6bc34b38bc0abf0c5e2f40e2513b4df47af57848534e011a76d4e974ad958b

SHA512
ba74654843c5b0f94dfefbed81cbee4c5f360193ef8ea92836c712fbeada39fa8179a51f0849f6c4be23add1ced08f5e25f873c4b0e7533ae647fa2b19b83f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gobject-2.0.dll

Filesize
281KB

MD5
24a7a712160abc3f23f7410b18de85b8

SHA1
a01c3e116b6496c9feaa2951f6f6633bb403c3a1

SHA256
78dd76027e10c17824978db821777fcaa58d7cd5d5eb9d80d6ee817e26b18ab8

SHA512
d1f14a7bd44e1fc9bfc61f0b751ee6e0677322807ce5621206eeef898bab6c71ef1464962b20dc50f706084e53281a0d4b6d9142c6c1170a1e0a5fe4b12171df

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\gthread-2.0.dll

Filesize
31KB

MD5
78cf6611f6928a64b03a57fe218c3cd4

SHA1
c3f167e719aa944af2e80941ac629d39cec22308

SHA256
dbaad965702b89c371462e735dd925c694eda8d8557b280f7264bba992c0e698

SHA512
5caf019a6b75ba0330b8d0b60d362201d4863c0f3d70d2a9c84b6dbea2027d09bc8a6433820f28a41d126c7aaa13dbe126b38dc5c6d14a67ddef402fed9d9b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\iconv.dll

Filesize
1.1MB

MD5
862dfc9bf209a46d6f4874614a6631cc

SHA1
43216aae64df217cba009145b6f9ad5b97fe927a

SHA256
84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

SHA512
b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\intl.dll

Filesize
87KB

MD5
d1a21e38593fddba8e51ed6bf7acf404

SHA1
759f16325f0920933ac977909b7fe261e0e129e6

SHA256
6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

SHA512
3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\shape.avi

Filesize
67KB

MD5
aa9a5fdce615ee5c7fd29b450ef922f7

SHA1
80f26812dced0423cd0b701682771ac3e3a19c7f

SHA256
707749cf619052155af5187007296ec524c9bd93d7b037647066782d005d288c

SHA512
d8d4c1bf936d81fdf64380ffd84f8aa5189a99edbb4b37285050d178d42f2e001fe73368018504586532c95e2d9c09db23fe3ec9dd5ca5f42e2bcf5052bcb2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtools.dll

Filesize
617KB

MD5
5c89275435ba4751a3b6a083e37abe68

SHA1
efceb0b032f52dc6198bf1fef1ed98e3b72f0823

SHA256
3b6b2b30827bb3f2fb39033f5f78ad7a8d89ebd06d17bef6f2e4e37069035ac1

SHA512
41b1bb08c7f6a241204426596ec821dde5592ab3b6a9c4450274d90fa42e307f91fbc8ab25ae7453f66edccf817e417574852eb2f54434388c5f3bf5e13f261d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe

Filesize
63KB

MD5
ae224c5e196ff381836c9e95deebb7d5

SHA1
910446a2a0f4e53307b6fdeb1a3e236c929e2ef4

SHA256
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

SHA512
f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c

Download Submit
memory/396-44-0x00007FF9350C0000-0x00007FF935232000-memory.dmp

Filesize
1.4MB

Download
memory/396-95-0x00007FF9350C0000-0x00007FF935232000-memory.dmp

Filesize
1.4MB

Download
memory/396-33-0x00007FF9350C0000-0x00007FF935232000-memory.dmp

Filesize
1.4MB

Download
memory/396-22-0x00007FF9350C0000-0x00007FF935232000-memory.dmp

Filesize
1.4MB

Download
memory/396-20-0x00007FF9350C0000-0x00007FF935232000-memory.dmp

Filesize
1.4MB

Download
memory/396-19-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/396-0-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/396-16-0x0000000000400000-0x0000000001905000-memory.dmp

Filesize
21.0MB

Download
memory/1244-115-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1244-107-0x0000000073450000-0x00000000746A4000-memory.dmp

Filesize
18.3MB

Download
memory/1244-114-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/1244-116-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1244-113-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1244-112-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/1244-117-0x0000000072CA0000-0x0000000073450000-memory.dmp

Filesize
7.7MB

Download
memory/1244-111-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/1244-118-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2060-104-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2060-108-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2060-105-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2060-101-0x00007FF952ED0000-0x00007FF9530C5000-memory.dmp

Filesize
2.0MB

Download
memory/2060-99-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2068-62-0x00007FF952ED0000-0x00007FF9530C5000-memory.dmp

Filesize
2.0MB

Download
memory/2068-61-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-97-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-94-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-93-0x00007FF952ED0000-0x00007FF9530C5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-92-0x0000000074F90000-0x000000007510B000-memory.dmp

Filesize
1.5MB

Download