asyncrat | 6345f66509868dae2d0725f00f3a60034012496142d91ea6d7dcbec3d471538b

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0295b03a18cadfd2ef555869a013ac5.exe
Size

7.5MB
MD5

e0295b03a18cadfd2ef555869a013ac5
SHA1

548509919e803393656c2d58f993e717d8257888
SHA256

6345f66509868dae2d0725f00f3a60034012496142d91ea6d7dcbec3d471538b
SHA512

b653ae24d76ec1aec023690be35d416748a9001bbaa704e41604b36dfd466a8b24205ec6651feec994188962f501260606613eed2405d51a8339a8bb7ffa0beb
SSDEEP

196608:YHZUcQM99igj59mp3zqwXaTk0nHtRWbpbtsc95t:Y5PeTp3zq7HtRW1Zsy5t

Score

10^/10

asyncrat meowpc persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MeowPC

meowpc-33643.portmap.host:2610

meowpc-33643.portmap.host:33643

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
window.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000016d34-35.dat	family_asyncrat

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2560	svhost.exe
2308	test.exe
268	Slayer Encryption Tools v 1.1.exe
1660	window.exe

Loads dropped DLL 6 IoCs

pid	Process
1272	e0295b03a18cadfd2ef555869a013ac5.exe
1272	e0295b03a18cadfd2ef555869a013ac5.exe
2560	svhost.exe
2560	svhost.exe
2560	svhost.exe
1816	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Fupdate = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	e0295b03a18cadfd2ef555869a013ac5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
932	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1952	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2308	test.exe
2308	test.exe
2308	test.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	e0295b03a18cadfd2ef555869a013ac5.exe
Token: SeDebugPrivilege	2560	svhost.exe
Token: SeDebugPrivilege	2308	test.exe
Token: SeDebugPrivilege	1660	window.exe
Token: SeDebugPrivilege	1660	window.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2560	1272	e0295b03a18cadfd2ef555869a013ac5.exe	28
PID 1272 wrote to memory of 2560	1272	e0295b03a18cadfd2ef555869a013ac5.exe	28
PID 1272 wrote to memory of 2560	1272	e0295b03a18cadfd2ef555869a013ac5.exe	28
PID 1272 wrote to memory of 2560	1272	e0295b03a18cadfd2ef555869a013ac5.exe	28
PID 1272 wrote to memory of 2408	1272	e0295b03a18cadfd2ef555869a013ac5.exe	30
PID 1272 wrote to memory of 2408	1272	e0295b03a18cadfd2ef555869a013ac5.exe	30
PID 1272 wrote to memory of 2408	1272	e0295b03a18cadfd2ef555869a013ac5.exe	30
PID 1272 wrote to memory of 2408	1272	e0295b03a18cadfd2ef555869a013ac5.exe	30
PID 2560 wrote to memory of 2308	2560	svhost.exe	32
PID 2560 wrote to memory of 2308	2560	svhost.exe	32
PID 2560 wrote to memory of 2308	2560	svhost.exe	32
PID 2560 wrote to memory of 2308	2560	svhost.exe	32
PID 2560 wrote to memory of 268	2560	svhost.exe	33
PID 2560 wrote to memory of 268	2560	svhost.exe	33
PID 2560 wrote to memory of 268	2560	svhost.exe	33
PID 2560 wrote to memory of 268	2560	svhost.exe	33
PID 2308 wrote to memory of 2684	2308	test.exe	34
PID 2308 wrote to memory of 2684	2308	test.exe	34
PID 2308 wrote to memory of 2684	2308	test.exe	34
PID 2308 wrote to memory of 2684	2308	test.exe	34
PID 2308 wrote to memory of 1816	2308	test.exe	36
PID 2308 wrote to memory of 1816	2308	test.exe	36
PID 2308 wrote to memory of 1816	2308	test.exe	36
PID 2308 wrote to memory of 1816	2308	test.exe	36
PID 2684 wrote to memory of 932	2684	cmd.exe	38
PID 2684 wrote to memory of 932	2684	cmd.exe	38
PID 2684 wrote to memory of 932	2684	cmd.exe	38
PID 2684 wrote to memory of 932	2684	cmd.exe	38
PID 1816 wrote to memory of 1952	1816	cmd.exe	39
PID 1816 wrote to memory of 1952	1816	cmd.exe	39
PID 1816 wrote to memory of 1952	1816	cmd.exe	39
PID 1816 wrote to memory of 1952	1816	cmd.exe	39
PID 1816 wrote to memory of 1660	1816	cmd.exe	40
PID 1816 wrote to memory of 1660	1816	cmd.exe	40
PID 1816 wrote to memory of 1660	1816	cmd.exe	40
PID 1816 wrote to memory of 1660	1816	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\e0295b03a18cadfd2ef555869a013ac5.exe
"C:\Users\Admin\AppData\Local\Temp\e0295b03a18cadfd2ef555869a013ac5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Roaming\svhost.exe
  "C:\Users\Admin\AppData\Roaming\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp867E.tmp.bat""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\window.exe
        
        "C:\Users\Admin\AppData\Roaming\window.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
- - C:\Users\Admin\AppData\Local\Temp\Slayer Encryption Tools v 1.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Slayer Encryption Tools v 1.1.exe"
    3⤵
    - Executes dropped EXE
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\eaPja.bat
  2⤵
  - Deletes itself
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Slayer Encryption Tools v 1.1.exe

Filesize
448KB

MD5
fe14c64b326f24f424abc0c7020ef8c0

SHA1
fd207a22a412d2544adfb5956ff16f918520effb

SHA256
4fc5bf637cbab0e0be05c4fee920078bab7fd8838d620b7932d3c083ef945bb3

SHA512
2717b8e6f8abbab0a9fbb72266d7f368cfe673ad2d1803da80046cfd6c05bfafb3c6eac5305905928a5e537c0af84f34b323df6b5f1d6f810c6a6fe85f77b48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slayer Encryption Tools v 1.1.exe

Filesize
429KB

MD5
ca6b80509adf26ff734f56b31636ad68

SHA1
7bf2413ba600401e45b1b7fe30ba004b66d82f59

SHA256
83a035f7bb9a2d833c6fa1295b51a112a89a49b30866c92ba3a45ce8c6d9d990

SHA512
cce8f4a4f1beacf68062609a848a06afccbe7d797d18099c995dbc7e78d34b3eb3e614663125af2832000bd91e6514ea6c975b2e2bcf64418d24582c9a031e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaPja.bat

Filesize
248B

MD5
7401e9af515f9902774583d2a606b8b1

SHA1
45d0bf6f591d043a428c2d2b0483277fed45152e

SHA256
cf038a3b4c45cbfbc5c76def0ae7a2beae85ad6bd8a02f436e8b64c3d80a2cd1

SHA512
2baeae7f599d59ef6763a907dce9bffae2ffe5ef98f678066343d0a922859b889c86b0d46f3d5712a53e43dd2dfa9563e4f22fdda9646ea921405299a5c62ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp867E.tmp.bat

Filesize
150B

MD5
1e5a627d10dc9025faeed868169de7f2

SHA1
7f51d7737b8eb05a7deb9daec375e6d57673d9e0

SHA256
df88a6be11e090a8f3d7b1932442add3c73717fbfe1f0d744431f1803a3ead44

SHA512
62d9254541e826215726655f3d507320ce288b1b932270c0c8fea252e13506982ef3db5199ebe6fc3eda6f6cc056fa5ddf7b9a27ca495bb5318e1d18dcbe981d

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
3.5MB

MD5
a90ffe5a67854ec1754c4bcf03dc2c9f

SHA1
bea85dad8cc6367f11ebbf9d99294108462beafe

SHA256
13966796bae3c689989fd8b7fb44f299fb324198003678709965916349cd99c4

SHA512
8b1196fdd1ed3ec708fa3e27be9a66cd5be1890bbec2f1a37c93d84da0850eb798d9a00a82377d2f6423f31a1d78d529b9c6d197daca8e0aba633416c415b8b1

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
2.6MB

MD5
4304c4afd5bfc104d4c6700a7e93fc8f

SHA1
dc50366bae55d64c6b9e32c26a0c4b5ce0991768

SHA256
f490a7e3e1639bb764565757689cf612a0d4c090e6a62631b8c84a1e0ed63d37

SHA512
2b0e29816b853dde9e4ccc1f3dd8eb12483e4390504bcd139d832f593f045d846223095eefcadfe0f34d89da7f0646f54b55e595a7d9650e99bfc7540e446c8d

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
3.9MB

MD5
55e87f23bb9967a75a79a01eee1d66d6

SHA1
7b048eed64af365e3888436d5c2aea63df315250

SHA256
430eeffe9deaebcbfde1db80caa79f4e1cceb81741e53375dd9be8ef69343edd

SHA512
6394c524bf3f4bfe87ed89fc35e1618a39aeaa3f18ff9172af247b57c6a35a8222794da77ad6c0b9a744077bfe37c840a2c6f1f9a78506e8b1c079defe397280

Download Submit
\Users\Admin\AppData\Local\Temp\Slayer Encryption Tools v 1.1.exe

Filesize
472KB

MD5
6a29a46bea23d0086c52dec014105f9e

SHA1
75b2b65b654c68444acc21bfc43356e4cdd49866

SHA256
1ed2b3f96e739831e9b6ddb8a05a6971fd952982bf8939e3793b4565af74ea0b

SHA512
36d99c47efff63f0fc83a21e9d92dbb0cc87934d8c5d2fc9c9070f7b598e4773d3a3ad4ea90d75d6cfab9a133b14924ad41a6246ecd958a78b52b069cf06bbd4

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
299KB

MD5
ece61efe1ed5e7d192df53448d21a10b

SHA1
a30d8bd1cf3ed75b3478c949c3b25f677bbf45cb

SHA256
4dd30e25b67739b7b6ded0ef6e09818df3c657278d38cbcde54b60f2f3f306d7

SHA512
90913ef31e459b9c4543ae46a19358f2bc29759f8194070c41c0d4ba9e5906d956a968bd7332d6b6c6ebc702be45fbced752a4214bf5a6ac07b336da43a797b4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp65F4.tmp\HVMRuntm.dll

Filesize
1.5MB

MD5
40a98f24138adcc1185612b5d7d8a644

SHA1
5891201825982460d3e538c709e8287e06c81510

SHA256
b9caf8a1f300f0d6081e5ae0973d384593c267e264dc804aa2075228ac555086

SHA512
ca6bd7d2f4d7b8224bd4f295dfcc48c0d265250838709f2169bf2523f48cfbd4de14792dd7ec62252498953cf4acabcfb338a29e0b8dc36f71e2ef36af948b2f

Download Submit
\Users\Admin\AppData\Roaming\svhost.exe

Filesize
3.4MB

MD5
e865cc69dc4875ae78cf7ee398e6c98a

SHA1
54c9ebd22af6e5caf92d59b291f6afed2fd4b10c

SHA256
c8a2f2c3d8eae9ba0baa78b7cdf8bfc8abb079116db8854da6603d6d0893c24e

SHA512
522369750d9d02e0aa99e8f7078112ae38b75d0d29c355aebae3c5fc4f96ac7bf0f578180298f326cd97d53c60b1df107bdffa90a6d479285840b5eb36204e91

Download Submit
memory/268-48-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-59-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-73-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-52-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-51-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-72-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/268-74-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/268-75-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-76-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/268-47-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-6-0x0000000074500000-0x0000000074580000-memory.dmp

Filesize
512KB

Download
memory/1272-1-0x0000000001340000-0x0000000001AC0000-memory.dmp

Filesize
7.5MB

Download
memory/1272-0-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1272-7-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/1272-30-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-68-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-77-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-67-0x0000000000240000-0x0000000000290000-memory.dmp

Filesize
320KB

Download
memory/1660-69-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1660-78-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2308-63-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2308-49-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2308-50-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2308-46-0x0000000000130000-0x0000000000180000-memory.dmp

Filesize
320KB

Download
memory/2560-71-0x00000000050A0000-0x00000000050E0000-memory.dmp

Filesize
256KB

Download
memory/2560-29-0x0000000074500000-0x0000000074580000-memory.dmp

Filesize
512KB

Download
memory/2560-17-0x0000000000290000-0x0000000000A10000-memory.dmp

Filesize
7.5MB

Download
memory/2560-16-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2560-31-0x00000000050A0000-0x00000000050E0000-memory.dmp

Filesize
256KB

Download
memory/2560-70-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download