asyncrat | 118088ebdecef31805885de379e8332d7551078d4f3c6c15db52a70b108cbd76

General

Target

SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
Size

19.3MB
MD5

e29a0e59ee8a40469e3bedfe2612f567
SHA1

2254d7b5bf1524bb1a224875abba9110f7a815f2
SHA256

118088ebdecef31805885de379e8332d7551078d4f3c6c15db52a70b108cbd76
SHA512

9908d67e32bcbd3f2f29c60ca208bfcaf76252e2f63712d1c625e9a36ac378192977ba6f05cbbfb33baa4db7ae4c1686d36dcfa7363b1dbc571ca3ccbef066df
SSDEEP

196608:WwUNEud08Pz1fCmX14ZEErpm5IQPI9UPDlQ/jMiDNR1T7EPPe:Ww2L8+1OEnuyPZO7DREe

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

C2

koradon.giize.com:6606

Mutex

vomsklihddikoeyxag

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

livecall.exelivecall.exe

pid process

3616 livecall.exe
5104 livecall.exe
Loads dropped DLL 2 IoCs

Processes:

livecall.exelivecall.exe

pid process

3616 livecall.exe
5104 livecall.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

53 raw.githubusercontent.com
54 raw.githubusercontent.com

pid	process
3616	livecall.exe
5104	livecall.exe

pid	process
3616	livecall.exe
5104	livecall.exe

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

livecall.execmd.exe

description	pid	process	target process
PID 5104 set thread context of 3632	5104	livecall.exe	cmd.exe
PID 3632 set thread context of 4312	3632	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325\Blob = 03000000010000001400000078e50262e8c47571fb82d5063a6c9bd91bb8a325140000000100000014000000ef4c0092a6fb762e5e95e2c95f871b19d54de2d904000000010000001000000003f6e71fa4328959fc11dbda6e2594a00f0000000100000030000000effb32d2d626fdd3cedd8f30be7db5bedc8f636cb1eb2b41256bf77805094c42d35fa47f4ec6029a846c8ccb1c691438190000000100000010000000dfd7f624560e51db4e9ed98d584f0a405c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000004e0600003082064a30820432a003020102021100835b7615206d2d6e097e0b6e409fefc0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3232313131363030303030305a170d3332313131353233353935395a3044310b300906035504061302555331123010060355040a1309496e7465726e6574323121301f06035504031318496e436f6d6d6f6e20525341205365727665722043412032308201a2300d06092a864886f70d01010105000382018f003082018a028201810089f05cc438bad03457af9755a0f42243fc3e18113adb6d7a52210631d6d4b7b7928886858ff899ff1885a29d2b5ae1f8042149de44af405f9a22112c3a7b9747a995892a54c79dc733902923314855b7781aa63ab60c1a3f3bbf5d123fe039b3fa1a0b5bf8bfcc3d7d897bd2f79a9f354f2a3fbff7fd449fdbf54d494366b8c2a5691830928bae7b4bac89d60aed5f16df37bead316f591d89b5628d4c89dc372583dc6855cbfec6d3d3f04c0bbb874aaa4724e41132dffb3ec55ad73c735d9ff927ef98a1ca155a8aa4d3ed80c92bc2ac1a3a038e0f8434d008a1553f94cc9e8c9a134f1a0fbf5dfd016af9972821834efe6ecd078e743df9a3f670d7a5780b8278b688f558b63b864561af3286f945898929fc1efddd5138f87649de241350ad47dc21f4c7577802b4ac179f57979abc611feb56bbd455c2c0de8111b4b36f0e31d55e3b096366f62b5234689aeb4d3b91b3ca7bde5712550a7dc26e7eda7382fee6fc0f360b34e0374e006ccd61d1b9b7aaf2c983e8b122c7d81f2a0cdcf10203010001a38201703082016c301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414ef4c0092a6fb762e5e95e2c95f871b19d54de2d9300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202673008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010026800d34e41eae22beaf3ea6e284f9c6b725b1f7db2fa875c26a82acc3b6ce5b82c6a906cc11632a639972de975d50d94eb0af24a57652230510d9f0087c34eb3ce40e8c28940b694f6a1f34721bac365104f3470c76b1e637d0c92cdd97487bdae3b39ac46258883a1f43c32f305132715f39987ff0351a4a78249a74c48842551d60092397e495bad7ce64c22776e366ec2e6d2f09004003fad0831bcba48b59842f544bfaf7de582d5ff7181730788c639df97b36b04014946caef20acba2162192058dea1ab2a0574ea66ae5f32bbb092195ee099541ff6f8b05410c82a6fb6ccb0e8fe7851924f3103405bd41a8fcf26cf112495878cb9ad9e5bcc1e0ba3660dd3ad4757df870e79c80c17df34889c00276fe091b219fa5b4bac6c8b7502375e72a5a1b8dcf26a4345270500ee47ad22a3502979236462191a1d0f5393fd02e00f84337316fca16e539dde1cb5655fdb2cd621b60097d592d699da5fd26d8ee9cbc25460c90bfe3a990518cd903eacaec9a927abad50c98096dee6d7e7135fcebf54405ce43a7d55fb83ea135b34a0d283b631c8455a06a044b4de5da698f8c52882aece8bc4b1e7368deb1bc54945f35541d8056cc6fb74e201a24925cdf994ebd952d24832cf6999309996d86fe184475d74958787715c2e2d8c69e622395445acb1ed26f5c475fd9a11a6742ce6f65e8df33ba049be35e576fdb0a0d	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exelivecall.exelivecall.execmd.exe

pid	process
3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
3616	livecall.exe
5104	livecall.exe
5104	livecall.exe
5104	livecall.exe
3632	cmd.exe
3632	cmd.exe
3632	cmd.exe
3632	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

livecall.execmd.exe

pid process

5104 livecall.exe
3632 cmd.exe
3632 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4312 MSBuild.exe

pid	process
5104	livecall.exe
3632	cmd.exe
3632	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4312	MSBuild.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exelivecall.exelivecall.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 3616	3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe	livecall.exe
PID 3012 wrote to memory of 3616	3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe	livecall.exe
PID 3012 wrote to memory of 3616	3012	SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe	livecall.exe
PID 3616 wrote to memory of 5104	3616	livecall.exe	livecall.exe
PID 3616 wrote to memory of 5104	3616	livecall.exe	livecall.exe
PID 3616 wrote to memory of 5104	3616	livecall.exe	livecall.exe
PID 5104 wrote to memory of 3632	5104	livecall.exe	cmd.exe
PID 5104 wrote to memory of 3632	5104	livecall.exe	cmd.exe
PID 5104 wrote to memory of 3632	5104	livecall.exe	cmd.exe
PID 5104 wrote to memory of 3632	5104	livecall.exe	cmd.exe
PID 3632 wrote to memory of 4312	3632	cmd.exe	MSBuild.exe
PID 3632 wrote to memory of 4312	3632	cmd.exe	MSBuild.exe
PID 3632 wrote to memory of 4312	3632	cmd.exe	MSBuild.exe
PID 3632 wrote to memory of 4312	3632	cmd.exe	MSBuild.exe
PID 3632 wrote to memory of 4312	3632	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
  C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe
    "C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3c349b80

Filesize
721KB

MD5
61fe5df9ecb7dfbfc34f43ae3634bc4b

SHA1
922c499ac4aa2725132f64a9702dd42dc4e6a9b5

SHA256
23d8a945f326bad023e397d494d05278d31b696cfe20b617211e07fbadad0689

SHA512
465679c011fe493fbc8d8f90e0340a00e1cf22f9e5aa17e9383fb3cc2f909ac994231cb60c41fb2f1b89d499b7ebcd3de474e264896650e3c90f2ad197eeddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\beau.gif

Filesize
548KB

MD5
24661f448bb28f80efa41b88274400d6

SHA1
bb6ee7625afaa9c7ece306d4f674f96ebd2d4342

SHA256
dec19caa7976a5affebe1af6c4075f2f59dd5f9828bf482f75306d28f1f1025a

SHA512
3848bd428c8849b91c7cb3108cd5a9d3c0676706fadeed6967491f65d85b83c8ccd932ff408b7ee2d5a4f9f1738fda2b3ba458a7a0f8b5395cd74f9b84633797

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe

Filesize
293KB

MD5
d9602ab0e6370519bd54d13d22dd6ef5

SHA1
95a3a7afdb00e1b2a99fddfe5d3203aa5cd4a09d

SHA256
63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf

SHA512
4587ca630bf5e421e48d5ac7f9ac6866000b06a99d89c1ca31c999414a63ba06a6be2e11467c045b0e2cddb21d792342e69977e6abda6e265b91044e2c8007cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\msidcrl40.dll

Filesize
529KB

MD5
17979de21257eaf1bbdcb2425a730f00

SHA1
f73c7ab297092f610bd146433908c0f3a6e8bbc2

SHA256
2ee849514b81ef98fd09ccc9a2e68e023badd18baee3779ce8241aa49d231456

SHA512
ab506bb4b3e3276304ea7c73076c8538fd67fe914085e2dfec66fb5ddb504f336d98a9995196877de4ff16a7db1db648646300f1e2a5675e3e10400117459ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\msidcrl40.dll

Filesize
391KB

MD5
d97c14c5e7d484d9a7ad147df94c139c

SHA1
d654b074050326d9134fa1612694506396bda079

SHA256
8cc4305fa4f24626f64e74c85e2bf42ddda0b2231f6f6f99f03d6001c8cc16ac

SHA512
8be6890e91d3790e2142785956f40c0ae11d96b7dc2e352c6ca47fe205bd23e8c9cf7532c9dc304a5b5ede8c66126c3f1f389ccd21fc0a4bfc0a0c5d72eee0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updatemonitor\ouzel.ppt

Filesize
18KB

MD5
4291a76014353530321658fac5d087c4

SHA1
22cc218a009927b31f1c888f715b3e48a5d4e4bf

SHA256
fb674a1619af1cffd77a9e9c619ddef4e2d88ec5cb572dbf7842662f5a52a7aa

SHA512
5cdbee401f0fb79e9f8b044d47e9cb42171a1bba50833712e58162ccdba3d07025c1a5cb3a2e9c469e5cb0e2739ad68f96f0c355d059edb1aa501504da329b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Updatemonitor\msidcrl40.dll

Filesize
630KB

MD5
9514be8bd127e6bdc0e8e88f68528765

SHA1
038816272f54101ef9829a4f834312e88b605c3e

SHA256
0da17d38bbe0439b4a6635bf7e896e5f607cc17646f1586d745844fefb974413

SHA512
27c5c4cad9de779a43e5f1550807711b0c08328a339e1ec893d070f95a481e6b743d166ec7f92dfcdcd3f64a9f5d3884c360bf48bd516cea9229966ee9e4b785

Download Submit
C:\Users\Admin\AppData\Roaming\Updatemonitor\msidcrl40.dll

Filesize
791KB

MD5
35b4cbc40f4df46cc50acb5c6205d757

SHA1
7e40413f8c583bc45fe2cbbf87aa095cdc0f8741

SHA256
810d73c452411fd045a321517a3ca6841b505c0a8df1cef293f31f1e44eed1cd

SHA512
52f9d4ee45c12138cb5f7b103d266dcfe1497ba2bf2cc283047b7c69dfa20f0674ddef02277f85b6bb7b770138a83727d6df05415f2557d60ed8ad107bdcd891

Download Submit
memory/3012-28-0x00007FFC4F2D0000-0x00007FFC4F442000-memory.dmp

Filesize
1.4MB

Download
memory/3012-21-0x00007FFC4F2D0000-0x00007FFC4F442000-memory.dmp

Filesize
1.4MB

Download
memory/3012-18-0x00007FFC4F2D0000-0x00007FFC4F442000-memory.dmp

Filesize
1.4MB

Download
memory/3012-16-0x0000000000400000-0x0000000001753000-memory.dmp

Filesize
19.3MB

Download
memory/3012-0-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/3012-50-0x00007FFC4F2D0000-0x00007FFC4F442000-memory.dmp

Filesize
1.4MB

Download
memory/3616-36-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/3616-37-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/3632-62-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/3632-59-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/3632-64-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/3632-61-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/3632-57-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/4312-70-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4312-72-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/4312-75-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4312-74-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4312-73-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4312-65-0x00000000736E0000-0x0000000074934000-memory.dmp

Filesize
18.3MB

Download
memory/4312-68-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4312-69-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/4312-71-0x0000000005B60000-0x0000000005BFC000-memory.dmp

Filesize
624KB

Download
memory/5104-53-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/5104-52-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/5104-54-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/5104-49-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download
memory/5104-55-0x0000000074C10000-0x0000000074D8B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads