asyncrat | 61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222

General

Target

61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
Size

46.7MB
MD5

4410dbdf8f12dfbf1f165276c42444fe
SHA1

41636f267072fec4554293c8d6abe148e1e67cc6
SHA256

61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222
SHA512

33b4aa2617a3cf96623c66e67fcb22a96ca78df4829773de94ac75ea6749cf85842429e9383b720afa8937594e235c6ea02e81acb833713fa1f90ef18e0505e0
SSDEEP

786432:Nkmk80dcNz5mU7FgDHNM2RXKxN1bfHRz8CGj7IBLbTSR/4ibob+XAkqdvDjhr:Dk5cNUUJgrNPOFfxFGjMBLKLbob+XCdl

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc4rc3ex788

Attributes

delay
10
install
true
install_file
audiodrv.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects file containing reversed ASEP Autorun registry keys 1 IoCs

resource	yara_rule
behavioral2/memory/4964-0-0x0000000000640000-0x0000000000652000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2436	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2644	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2436	4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	97
PID 4964 wrote to memory of 2436	4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	97
PID 4964 wrote to memory of 3580	4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	99
PID 4964 wrote to memory of 3580	4964	61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe	99
PID 3580 wrote to memory of 2644	3580	cmd.exe	101
PID 3580 wrote to memory of 2644	3580	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe
"C:\Users\Admin\AppData\Local\Temp\61e869da1d5cefe780a706e06b904c276d8393e618de382c3b4abdbb4d817222.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodrv"' /tr "'C:\Users\Admin\AppData\Roaming\audiodrv.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp83C1.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2644
- - C:\Users\Admin\AppData\Roaming\audiodrv.exe
    "C:\Users\Admin\AppData\Roaming\audiodrv.exe"
    3⤵
    PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3924 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp83C1.tmp.bat

Filesize
152B

MD5
112e0ec3c920e28cf4b0b82ad46320c5

SHA1
9bb7b60d31663dfd76964f609d9b7672e96bb63c

SHA256
5b5c5666d3729ce443f50c68bab026829cae39aa52feb0b3fbe8d2f5f2a256f6

SHA512
89f71ea0fe04287727d9929d7d3d3c23da31cf881adbcda83312f3e75448b3dfbcc20505068ef6e742bb31e3a531f48828791aaffc809e35fe0da6e6187a8afa

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrv.exe

Filesize
6.3MB

MD5
952b7c3dc51a8c1f7fa47a60b9472de6

SHA1
1166116f060cd6d13b8a1c11a1d336e261de72f9

SHA256
869758928e0aca1b97edad2b2c435b6f798802990ea23e54dee30f54fd857b4d

SHA512
3d32071796bf12abf88b5c6edad6c461db02ebecf4430dd251bff1a3aeb6d94ad96bdcaa6cd7d4369dc834039fed91d6484272f0f7703a500728614a4a16398e

Download Submit
C:\Users\Admin\AppData\Roaming\audiodrv.exe

Filesize
6.1MB

MD5
e4e9f35b604db4fd7f1920fc5cff61f0

SHA1
63c9daac04d874c94ac862862b2a7d0678cd107e

SHA256
9c039e6847bb29cd65843de65da154fabc987725f0168bee53912837712814cb

SHA512
304f45b6e9b79a21824f13663954f259278074afc1dcd40cedc23b0be35966a43e17e15877318e2a4b22dbab74f350dfe61b4116c5a335b0f0c42ed8147f2179

Download Submit
memory/1552-13-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1552-14-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/1552-15-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/1552-16-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/4964-0-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/4964-1-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4964-2-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

Filesize
64KB

Download
memory/4964-3-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4964-9-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads