asyncrat | 172705adb5ebbb023174bafa12a8c572604258aaf4a3959ec6759c7e3333b7ec

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de96f95692e27176b74125a40300ba08.exe
Size

1.9MB
MD5

de96f95692e27176b74125a40300ba08
SHA1

472c7dfb79b00e95b68b3ba23c7fb5c14c740053
SHA256

172705adb5ebbb023174bafa12a8c572604258aaf4a3959ec6759c7e3333b7ec
SHA512

9062560007de212f285c1fee05df3b6cd021fcc4367d29b1baf9b0a1158aca484601a57b84e7c4b9c0937336f7a3e6e69fd990f516abd288666edf6aca16e1cc
SSDEEP

24576:sYYiCmMxAtOsBgo0q4wMcCcsp/iKgM4MRM/mXVK67k3GCo27nsISxZvBn2spMBuu:sVWsoHMcCbppx44lK13NAI6736F6Z

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

podzeye.duckdns.org:4422

podzeye.duckdns.org:4442

podzeye.duckdns.org:4433

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/2892-3-0x00000000004D0000-0x00000000004E2000-memory.dmp	CustAttr

Executes dropped EXE 2 IoCs

pid	Process
2704	System.exe
2332	System.exe

Loads dropped DLL 2 IoCs

pid	Process
1892	de96f95692e27176b74125a40300ba08.exe
2704	System.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2704 set thread context of 2332	2704	System.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2892	de96f95692e27176b74125a40300ba08.exe
2892	de96f95692e27176b74125a40300ba08.exe
2892	de96f95692e27176b74125a40300ba08.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	de96f95692e27176b74125a40300ba08.exe
Token: SeDebugPrivilege	2332	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	de96f95692e27176b74125a40300ba08.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2924	2892	de96f95692e27176b74125a40300ba08.exe	30
PID 2892 wrote to memory of 2924	2892	de96f95692e27176b74125a40300ba08.exe	30
PID 2892 wrote to memory of 2924	2892	de96f95692e27176b74125a40300ba08.exe	30
PID 2892 wrote to memory of 2924	2892	de96f95692e27176b74125a40300ba08.exe	30
PID 2892 wrote to memory of 2884	2892	de96f95692e27176b74125a40300ba08.exe	31
PID 2892 wrote to memory of 2884	2892	de96f95692e27176b74125a40300ba08.exe	31
PID 2892 wrote to memory of 2884	2892	de96f95692e27176b74125a40300ba08.exe	31
PID 2892 wrote to memory of 2884	2892	de96f95692e27176b74125a40300ba08.exe	31
PID 2892 wrote to memory of 2680	2892	de96f95692e27176b74125a40300ba08.exe	32
PID 2892 wrote to memory of 2680	2892	de96f95692e27176b74125a40300ba08.exe	32
PID 2892 wrote to memory of 2680	2892	de96f95692e27176b74125a40300ba08.exe	32
PID 2892 wrote to memory of 2680	2892	de96f95692e27176b74125a40300ba08.exe	32
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 2892 wrote to memory of 1892	2892	de96f95692e27176b74125a40300ba08.exe	33
PID 1892 wrote to memory of 2704	1892	de96f95692e27176b74125a40300ba08.exe	34
PID 1892 wrote to memory of 2704	1892	de96f95692e27176b74125a40300ba08.exe	34
PID 1892 wrote to memory of 2704	1892	de96f95692e27176b74125a40300ba08.exe	34
PID 1892 wrote to memory of 2704	1892	de96f95692e27176b74125a40300ba08.exe	34
PID 2704 wrote to memory of 2012	2704	System.exe	35
PID 2704 wrote to memory of 2012	2704	System.exe	35
PID 2704 wrote to memory of 2012	2704	System.exe	35
PID 2704 wrote to memory of 2012	2704	System.exe	35
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37
PID 2704 wrote to memory of 2332	2704	System.exe	37

C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe
"C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe
  "C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe
  "C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe
  "C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"
  2⤵
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe
  "C:\Users\Admin\AppData\Local\Temp\de96f95692e27176b74125a40300ba08.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe" 0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ToahHiZtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp

Filesize
1KB

MD5
09f2ca26e4079b4a75446853bac5c811

SHA1
3e34739d41c7308dd68408f98b26f4178551fb56

SHA256
46d2ec0406b36f4a0ae712c9be9abfce8e880966035c52157beb218d9d93dd4a

SHA512
0b71a5127c46cb81131a43583f1cdc1823a9c4a38c1a3a0615bbb0e630803cac8e9fabd4686b9e1cf4dd23797eaed2d73b96573d25beeeb452cf3b234e91dab4

Download Submit
\Users\Admin\AppData\Local\Temp\System.exe

Filesize
1.1MB

MD5
6de6f3b1c646ed699f7e31c0631d0032

SHA1
e658e0ddf1d4d5cfbf3a73635ac96682bcfac6cb

SHA256
eb054bd6d1a8270815b7aba891b45fad52593e1eb99dfb5052dadb61587e9c45

SHA512
21eaa83a95ed1a4902ad06fe450a2fc745c5ebcb7816a9dd4690112910c83130b54a3632aa88ac498055ea33275e3df7373658053c0fbf5290ea3493273c566d

Download Submit
memory/1892-10-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-27-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-19-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-15-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1892-13-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-8-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1892-9-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2332-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-60-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2332-59-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-58-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2332-57-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-53-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2332-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2704-29-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-28-0x0000000001330000-0x0000000001444000-memory.dmp

Filesize
1.1MB

Download
memory/2704-34-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2704-56-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-32-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2704-33-0x0000000004ED0000-0x0000000004F2A000-memory.dmp

Filesize
360KB

Download
memory/2704-31-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-30-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2892-7-0x0000000005AE0000-0x0000000005BFA000-memory.dmp

Filesize
1.1MB

Download
memory/2892-0-0x00000000001C0000-0x00000000003B0000-memory.dmp

Filesize
1.9MB

Download
memory/2892-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2892-1-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-3-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2892-4-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-16-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-5-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2892-6-0x00000000059B0000-0x0000000005AE2000-memory.dmp

Filesize
1.2MB

Download