asyncrat | bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
Size

2.2MB
MD5

eb1a9295b13583f1d12db61027e72fa3
SHA1

a44c8f2bdc54110ce7d295bb0b92a0212177dd77
SHA256

bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e
SHA512

f94100cd6099376120677f51ed2b8c0438302f844a54f598a9675dc5c7486e6ae30b41e12ffeae51941c17e9438f293d3de2992c0cdc6a601ffa778a273e1365
SSDEEP

49152:p0Wr2+2NRopvMx5qqLDp2iOzouQs6wt1rp9X/M:WwkkEx5VDOzrQs6EvNk

Score

10^/10

asyncrat limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
@mustleak
antivm
false
c2_url
https://pastebin.com/raw/c3Nu1fZy
delay
3
download_payload
false
install
true
install_name
snchost.exe
main_folder
AppData
pin_spread
false
sub_folder
\bite\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.4H

Mutex

extiqtrzeqtxqjoa

Attributes

delay
0
install
true
install_file
scvhost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/X37Jy9jA

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe	family_asyncrat

Executes dropped EXE 4 IoCs

Processes:

SocialExtractor.execlient.exeSocialExtractor.tmpscvhost.exe

pid process

2664 SocialExtractor.exe
2840 client.exe
2972 SocialExtractor.tmp
604 scvhost.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeSocialExtractor.exe

pid process

2632 cmd.exe
2632 cmd.exe
2664 SocialExtractor.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
4 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2480 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2344 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

client.exescvhost.exe

pid process

2840 client.exe
2840 client.exe
604 scvhost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SocialExtractor.tmp

pid process

2972 SocialExtractor.tmp
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

client.exescvhost.exe

description pid process

Token: SeDebugPrivilege 2840 client.exe
Token: SeDebugPrivilege 604 scvhost.exe
Token: SeDebugPrivilege 604 scvhost.exe

pid	process
2664	SocialExtractor.exe
2840	client.exe
2972	SocialExtractor.tmp
604	scvhost.exe

pid	process
2632	cmd.exe
2632	cmd.exe
2664	SocialExtractor.exe

flow	ioc
5	pastebin.com
4	pastebin.com

pid	process
2480	schtasks.exe

pid	process
2344	timeout.exe

pid	process
2840	client.exe
2840	client.exe
604	scvhost.exe

pid	process
2972	SocialExtractor.tmp

description	pid	process
Token: SeDebugPrivilege	2840	client.exe
Token: SeDebugPrivilege	604	scvhost.exe
Token: SeDebugPrivilege	604	scvhost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.execmd.exeSocialExtractor.execlient.execmd.exe

description	pid	process	target process
PID 2976 wrote to memory of 2632	2976	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2632	2976	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2632	2976	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2632	2976	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2664	2632	cmd.exe	SocialExtractor.exe
PID 2632 wrote to memory of 2840	2632	cmd.exe	client.exe
PID 2632 wrote to memory of 2840	2632	cmd.exe	client.exe
PID 2632 wrote to memory of 2840	2632	cmd.exe	client.exe
PID 2632 wrote to memory of 2840	2632	cmd.exe	client.exe
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2664 wrote to memory of 2972	2664	SocialExtractor.exe	SocialExtractor.tmp
PID 2840 wrote to memory of 2480	2840	client.exe	schtasks.exe
PID 2840 wrote to memory of 2480	2840	client.exe	schtasks.exe
PID 2840 wrote to memory of 2480	2840	client.exe	schtasks.exe
PID 2840 wrote to memory of 2932	2840	client.exe	cmd.exe
PID 2840 wrote to memory of 2932	2840	client.exe	cmd.exe
PID 2840 wrote to memory of 2932	2840	client.exe	cmd.exe
PID 2932 wrote to memory of 2344	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2344	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 2344	2932	cmd.exe	timeout.exe
PID 2932 wrote to memory of 604	2932	cmd.exe	scvhost.exe
PID 2932 wrote to memory of 604	2932	cmd.exe	scvhost.exe
PID 2932 wrote to memory of 604	2932	cmd.exe	scvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Untitled1.bat" > NUL"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
    SocialExtractor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp" /SL5="$70120,1346769,130560,C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2972
- - C:\Users\Admin\AppData\Roaming\Microsoft\client.exe
    client.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'scvhost"' /tr "'C:\Users\Admin\AppData\Roaming\scvhost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2480
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2344
    - - C:\Users\Admin\AppData\Roaming\scvhost.exe
        
        "C:\Users\Admin\AppData\Roaming\scvhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe

Filesize
49KB

MD5
250c653e112343e53b5b7663106668b4

SHA1
922c3645fde2ce0e8f61b466c436fc3b2461dbdb

SHA256
1e43894d0469a136302deb3e21cf15855e2845ef8f1cdab693afd29306fc28b4

SHA512
61d23d0e4d278d794dc58b89ab31663f5b560cf0714520feba17baa6a0708aa2e5fb499a51a30a8e8236bdc52864bb697bbb6f2446a579dc586f6585e64a5233

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client1.exe

Filesize
28KB

MD5
686450ae4670a34ce50887e6cad59b33

SHA1
87386f41e240c9d77a4ab86bfd5e8bb86479ca05

SHA256
c510955a49256a7e86cda23b6cdc4328f43bfa449f583f87c12e9e7d9e037435

SHA512
1afee6ef90a3fa53533f50333f6068813741fa8173f500d6215feb1767a1c66a9bc24ab4aa8f35a042c006c1e3f61be3763f624985b0ba16ff98ef014f7b6cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD975.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled1.bat

Filesize
791B

MD5
c86aebc029adf9aaab1211939c01e999

SHA1
93e408eb832c9c1ee60652cf2b5a2185c76f704d

SHA256
60ae8673855a220d7fe13b7f8a40669431682caac3a64d67cac7edf0f8030776

SHA512
27505b95e93f91f0bd288ae2a4532ad041caa2dcecbfc7b65790be7c78f13945776fe2ca4692fd3fe9cb83ab3ff19bb3724d248e3ad06e821f241f88e909b01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp.bat

Filesize
151B

MD5
09abbeff853b722961c30656792b3cbf

SHA1
cd5de6c3f7a01ded8a34ac6435d6e38f33ffd318

SHA256
7aad2b01648d04f8a2e33ae1096e13f6cf3d2660903d3b2e4138423484584359

SHA512
9e193019631e4132334f707392cfe3ac08aaf6ceef113ded544e71e705e37d582a932c6b33cad6a9b65b7e1b5d9ae736fa0e75762396c047749194a53fbc60b9

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
41.0MB

MD5
c195edfce0578f293247176f7916ffea

SHA1
2995172d4fc6da48b2cd349f846dc44c4c8d092c

SHA256
6ecd3a1617ae5bfbb9a38d58d89f2fdad1654fa2cbf24509e37f770e192e90b9

SHA512
6eabd344057ea105fed32ef5c0db519c88ee0eada6d5dd4cfa0a0451caa7739cb8e817645a7d395c092016e581e4a5ca98ea07872edf0e035eb6b2b7701f4059

Download Submit
\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe

Filesize
1.6MB

MD5
1fa50a9e04bcb2a0c1a0f2207a790f87

SHA1
0b635ab3963305920bc38fada7ea6b19f22ff80d

SHA256
ea6d36128832517f0dc80d484d5bfa2743b81cf5fcd35eb55a5d81425c409952

SHA512
edc681eac890b0a0a20dc6e66c43a3e0b072c4931cd53453dc368af03a60fc2fd69591c0f6bf5119b3b9ed87083930c03b41e31f5d3f4db63c0514504af84515

Download Submit
\Users\Admin\AppData\Local\Temp\is-VIFHD.tmp\SocialExtractor.tmp

Filesize
768KB

MD5
d2481b1c46abfb624d42ef7de2571183

SHA1
0662e0f372014783de00502baf777c89f319a2e9

SHA256
5ce99063e4e9c1b4292e07c39732965ffdd96f0527c8a2d97fc904c01c3d6d94

SHA512
b8ec89ba2b98195dc26190a1ac0a950ed92061c837adbdda5496782aaf8fb1edc6d04c51c42d8c0f18d967cdf9a1f34ff27779c6eaecff36f961ab2d1909b08e

Download Submit
memory/604-52-0x000007FEF4850000-0x000007FEF523C000-memory.dmp

Filesize
9.9MB

Download
memory/604-96-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/604-95-0x000007FEF4850000-0x000007FEF523C000-memory.dmp

Filesize
9.9MB

Download
memory/604-49-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/604-53-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2664-33-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2664-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2840-30-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-29-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/2840-44-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-31-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2972-51-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2972-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2972-34-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download