asyncrat | bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e

General

Target

eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
Size

2.2MB
MD5

eb1a9295b13583f1d12db61027e72fa3
SHA1

a44c8f2bdc54110ce7d295bb0b92a0212177dd77
SHA256

bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e
SHA512

f94100cd6099376120677f51ed2b8c0438302f844a54f598a9675dc5c7486e6ae30b41e12ffeae51941c17e9438f293d3de2992c0cdc6a601ffa778a273e1365
SSDEEP

49152:p0Wr2+2NRopvMx5qqLDp2iOzouQs6wt1rp9X/M:WwkkEx5VDOzrQs6EvNk

Score

10^/10

asyncrat limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
@mustleak
antivm
false
c2_url
https://pastebin.com/raw/c3Nu1fZy
delay
3
download_payload
false
install
true
install_name
snchost.exe
main_folder
AppData
pin_spread
false
sub_folder
\bite\
usb_spread
true

Extracted

Family

asyncrat

Version

0.5.4H

Mutex

extiqtrzeqtxqjoa

Attributes

delay
0
install
true
install_file
scvhost.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/X37Jy9jA

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

client.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation client.exe
Executes dropped EXE 4 IoCs

Processes:

SocialExtractor.execlient.exeSocialExtractor.tmpscvhost.exe

pid process

3944 SocialExtractor.exe
4160 client.exe
4928 SocialExtractor.tmp
3788 scvhost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

36 pastebin.com
37 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4912 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4624 timeout.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	client.exe

pid	process
3944	SocialExtractor.exe
4160	client.exe
4928	SocialExtractor.tmp
3788	scvhost.exe

flow	ioc
36	pastebin.com
37	pastebin.com

pid	process
4912	schtasks.exe

pid	process
4624	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

client.exescvhost.exe

pid	process
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
4160	client.exe
3788	scvhost.exe
3788	scvhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

client.exescvhost.exe

description pid process

Token: SeDebugPrivilege 4160 client.exe
Token: SeDebugPrivilege 3788 scvhost.exe
Token: SeDebugPrivilege 3788 scvhost.exe

description	pid	process
Token: SeDebugPrivilege	4160	client.exe
Token: SeDebugPrivilege	3788	scvhost.exe
Token: SeDebugPrivilege	3788	scvhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.execmd.exeSocialExtractor.execlient.execmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 4952	2028	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2028 wrote to memory of 4952	2028	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 2028 wrote to memory of 4952	2028	eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe	cmd.exe
PID 4952 wrote to memory of 3944	4952	cmd.exe	SocialExtractor.exe
PID 4952 wrote to memory of 3944	4952	cmd.exe	SocialExtractor.exe
PID 4952 wrote to memory of 3944	4952	cmd.exe	SocialExtractor.exe
PID 4952 wrote to memory of 4160	4952	cmd.exe	client.exe
PID 4952 wrote to memory of 4160	4952	cmd.exe	client.exe
PID 3944 wrote to memory of 4928	3944	SocialExtractor.exe	SocialExtractor.tmp
PID 3944 wrote to memory of 4928	3944	SocialExtractor.exe	SocialExtractor.tmp
PID 3944 wrote to memory of 4928	3944	SocialExtractor.exe	SocialExtractor.tmp
PID 4160 wrote to memory of 4912	4160	client.exe	schtasks.exe
PID 4160 wrote to memory of 4912	4160	client.exe	schtasks.exe
PID 4160 wrote to memory of 320	4160	client.exe	cmd.exe
PID 4160 wrote to memory of 320	4160	client.exe	cmd.exe
PID 320 wrote to memory of 4624	320	cmd.exe	timeout.exe
PID 320 wrote to memory of 4624	320	cmd.exe	timeout.exe
PID 320 wrote to memory of 3788	320	cmd.exe	scvhost.exe
PID 320 wrote to memory of 3788	320	cmd.exe	scvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Untitled1.bat" > NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe
    SocialExtractor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp" /SL5="$A0030,1346769,130560,C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe"
      4⤵
      Executes dropped EXE
      PID:4928
- - C:\Users\Admin\AppData\Roaming\Microsoft\client.exe
    client.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'scvhost"' /tr "'C:\Users\Admin\AppData\Roaming\scvhost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4624
    - - C:\Users\Admin\AppData\Roaming\scvhost.exe
        
        "C:\Users\Admin\AppData\Roaming\scvhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\SocialExtractor.exe

Filesize
1.6MB

MD5
1fa50a9e04bcb2a0c1a0f2207a790f87

SHA1
0b635ab3963305920bc38fada7ea6b19f22ff80d

SHA256
ea6d36128832517f0dc80d484d5bfa2743b81cf5fcd35eb55a5d81425c409952

SHA512
edc681eac890b0a0a20dc6e66c43a3e0b072c4931cd53453dc368af03a60fc2fd69591c0f6bf5119b3b9ed87083930c03b41e31f5d3f4db63c0514504af84515

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client.exe

Filesize
49KB

MD5
250c653e112343e53b5b7663106668b4

SHA1
922c3645fde2ce0e8f61b466c436fc3b2461dbdb

SHA256
1e43894d0469a136302deb3e21cf15855e2845ef8f1cdab693afd29306fc28b4

SHA512
61d23d0e4d278d794dc58b89ab31663f5b560cf0714520feba17baa6a0708aa2e5fb499a51a30a8e8236bdc52864bb697bbb6f2446a579dc586f6585e64a5233

Download Submit
C:\Users\Admin\AppData\Local\Temp\SocialExtractor Cracked\client1.exe

Filesize
28KB

MD5
686450ae4670a34ce50887e6cad59b33

SHA1
87386f41e240c9d77a4ab86bfd5e8bb86479ca05

SHA256
c510955a49256a7e86cda23b6cdc4328f43bfa449f583f87c12e9e7d9e037435

SHA512
1afee6ef90a3fa53533f50333f6068813741fa8173f500d6215feb1767a1c66a9bc24ab4aa8f35a042c006c1e3f61be3763f624985b0ba16ff98ef014f7b6cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled1.bat

Filesize
791B

MD5
c86aebc029adf9aaab1211939c01e999

SHA1
93e408eb832c9c1ee60652cf2b5a2185c76f704d

SHA256
60ae8673855a220d7fe13b7f8a40669431682caac3a64d67cac7edf0f8030776

SHA512
27505b95e93f91f0bd288ae2a4532ad041caa2dcecbfc7b65790be7c78f13945776fe2ca4692fd3fe9cb83ab3ff19bb3724d248e3ad06e821f241f88e909b01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P861E.tmp\SocialExtractor.tmp

Filesize
768KB

MD5
d2481b1c46abfb624d42ef7de2571183

SHA1
0662e0f372014783de00502baf777c89f319a2e9

SHA256
5ce99063e4e9c1b4292e07c39732965ffdd96f0527c8a2d97fc904c01c3d6d94

SHA512
b8ec89ba2b98195dc26190a1ac0a950ed92061c837adbdda5496782aaf8fb1edc6d04c51c42d8c0f18d967cdf9a1f34ff27779c6eaecff36f961ab2d1909b08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp366D.tmp.bat

Filesize
151B

MD5
d433d30f68cccf130f60c22750d25412

SHA1
51516ebf95699902c9a79bc50e6d253406f252e6

SHA256
f2944b0dd8de8e3946dcb9317d6a96bd9245764a50160a302e11402eaa89353f

SHA512
6a37f522ccdccb73797e17a021503438e8977a93702f1f2bfc8831ee8b46c066bdc70dba3eb8e644091913d6d825ab46db6c07d796f0f2c328b2e2dbaef4bea2

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
47.1MB

MD5
ee46bb4ca1eaf7b6a4b8914880835314

SHA1
f30b7d41dbda86f12338c7a61e64dd7aa1ea915e

SHA256
972ff3699ae8d2c0f2b2ca52189223751ed57a9a7860bf71557041e4fc4accc4

SHA512
d7b10ddbf3ad3f36c4c9f6edd92e3ae8a9df304d0ca20ee7ca1c6f92e09f479f1ecca6b9a93ae2349c32253287e73f322bb6c8beb875e4a0d8e1559e307720d5

Download Submit
memory/3788-46-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/3788-45-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/3788-40-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/3788-37-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/3944-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3944-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4160-31-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/4160-23-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/4160-20-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

Filesize
10.8MB

Download
memory/4160-17-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download
memory/4928-26-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4928-22-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4928-39-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads