asyncrat | 61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222

General

Target

61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
Size

46.7MB
MD5

4410dbdf8f12dfbf1f165276c42444fe
SHA1

41636f267072fec4554293c8d6abe148e1e67cc6
SHA256

61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222
SHA512

33b4aa2617a3cf96623c66e67fcb22a96ca78df4829773de94ac75ea6749cf85842429e9383b720afa8937594e235c6ea02e81acb833713fa1f90ef18e0505e0
SSDEEP

786432:Nkmk80dcNz5mU7FgDHNM2RXKxN1bfHRz8CGj7IBLbTSR/4ibob+XAkqdvDjhr:Dk5cNUUJgrNPOFfxFGjMBLKLbob+XCdl

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex788

Attributes

delay
10
install
true
install_file
audiodrv.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000f00000000f680-16.dat	family_asyncrat
behavioral1/files/0x000f00000000f680-15.dat	family_asyncrat

Detects file containing reversed ASEP Autorun registry keys 4 IoCs

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000E00000-0x0000000000E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2516-17-0x00000000010D0000-0x00000000010E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/files/0x000f00000000f680-16.dat	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/files/0x000f00000000f680-15.dat	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Executes dropped EXE 1 IoCs

pid	Process
2516	audiodrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2896	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2632	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
2516	audiodrv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
Token: SeDebugPrivilege	2516	audiodrv.exe
Token: SeDebugPrivilege	2516	audiodrv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2896	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	30
PID 2236 wrote to memory of 2896	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	30
PID 2236 wrote to memory of 2896	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	30
PID 2236 wrote to memory of 2580	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	32
PID 2236 wrote to memory of 2580	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	32
PID 2236 wrote to memory of 2580	2236	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	32
PID 2580 wrote to memory of 2632	2580	cmd.exe	34
PID 2580 wrote to memory of 2632	2580	cmd.exe	34
PID 2580 wrote to memory of 2632	2580	cmd.exe	34
PID 2580 wrote to memory of 2516	2580	cmd.exe	35
PID 2580 wrote to memory of 2516	2580	cmd.exe	35
PID 2580 wrote to memory of 2516	2580	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
"C:\Users\Admin\AppData\Local\Temp\61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrv.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:2896
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp146B.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Users\Admin\AppData\Roaming\audiodrv.exe
    "C:\Users\Admin\AppData\Roaming\audiodrv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp146B.tmp.bat

Filesize
152B

MD5
4c171ffb95a7b8b4f0e2a79d036d63b3

SHA1
1f8e99589242e77bb95e582d6986d77c32914a62

SHA256
49bcc9bddd1ce8b427fcbc30819907ad8047626c6cd44c80f01120242511ece4

SHA512
12774b57f7947321f8d945c0be915381c76a881d06a4361bbaa25aa09e31840c31cb4e8c20b1446f7d7d63b1768a8e8f0421834126c7c22ce36daca23c7df850

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrv.exe

Filesize
192KB

MD5
3f23660c7aa806b2ee34a81990af7877

SHA1
0cf7d2909630f77139d8969ea3a5dbe48f5aa8ca

SHA256
d01988f533ffcb7617150a7eac2da5a5d6d337df76fb7efe7f8b9f783edde0e0

SHA512
542539a8baf7325ee7447e5c6ad5d8a611ea86ab412a13ba9907c7fc0226baea31f3c0935cb2705b7f62ae36a15445471a1b726b8ac785a8ce15ce2a39fe29e9

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrv.exe

Filesize
128KB

MD5
ad0f72257f7f2a86d30afa87dacf5a83

SHA1
ccdeba142d4cf087ee46eafe246e533b3737d111

SHA256
669abd5f973fd0a06c69ae768aecf80179f588b649b0b128dbf01deacee96435

SHA512
e2475d9ff85e800921dea43d1b97c3a88a7b827a67b0b2ba3309963ebafe75e4e51ead0d8497f85ddae1ebe41a0a7ab208cfe666f5b0bbb14f44e47e3e4f999b

Download Submit
memory/2236-3-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-0-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/2236-13-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-2-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/2236-1-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-17-0x00000000010D0000-0x00000000010E2000-memory.dmp

Filesize
72KB

Download
memory/2516-18-0x000007FEF47B0000-0x000007FEF519C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-19-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2516-20-0x000007FEF47B0000-0x000007FEF519C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-21-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads