asyncrat | 7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
1479s
max time network
1810s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
Size

647KB
MD5

4532fe89506406de9ebaa83778d74c8f
SHA1

8015b822fc7df8d33ec3416e773f7189e9b74b5f
SHA256

2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066
SHA512

50706520d3df0669ac2b7a75a6a234cd28deec92e8be98e0e4ce7ef8848952cc07b53e30723bf4668ee3f940714360f6ba705bfe83e2d47f3163c86e407ba36a
SSDEEP

12288:w3qcsNKVUdaaPDodw7y1Q3krddMK341VhJ5mhj2ZCm03Pjzkjp:w33uK2daGz+1Q3qdMKoDhJkhWCmQjzAp

Score

10^/10

asyncrat new_n4 rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

NEW_N4

fttuvgt.ddnsfree.com:6969

fttuvgt.ddnsfree.com:6668

fttuvgt.ddnsfree.com:6667

Mutex

AsyncMutex_xxx342592

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Soldiers.pif

description pid process target process

PID 4584 created 3380 4584 Soldiers.pif Explorer.EXE
PID 4584 created 3380 4584 Soldiers.pif Explorer.EXE

description	pid	process	target process
PID 4584 created 3380	4584	Soldiers.pif	Explorer.EXE
PID 4584 created 3380	4584	Soldiers.pif	Explorer.EXE

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

Soldiers.pifRegAsm.exe

pid process

4584 Soldiers.pif
2428 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4488 tasklist.exe
3944 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2404 PING.EXE

pid	process
4488	tasklist.exe
3944	tasklist.exe

pid	process
2404	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Soldiers.pifRegAsm.exe

pid	process
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
4584	Soldiers.pif
2428	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2428 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4488 tasklist.exe
Token: SeDebugPrivilege 3944 tasklist.exe
Token: SeDebugPrivilege 2428 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Soldiers.pif

pid process

4584 Soldiers.pif
4584 Soldiers.pif
4584 Soldiers.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Soldiers.pif

pid process

4584 Soldiers.pif
4584 Soldiers.pif
4584 Soldiers.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2428 RegAsm.exe

pid	process
2428	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4488	tasklist.exe
Token: SeDebugPrivilege	3944	tasklist.exe
Token: SeDebugPrivilege	2428	RegAsm.exe

pid	process
2428	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.execmd.exeSoldiers.pif

description	pid	process	target process
PID 4320 wrote to memory of 4328	4320	2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe	cmd.exe
PID 4320 wrote to memory of 4328	4320	2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe	cmd.exe
PID 4320 wrote to memory of 4328	4320	2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe	cmd.exe
PID 4328 wrote to memory of 4488	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4488	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4488	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4588	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 4588	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 4588	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3944	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 3944	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 3944	4328	cmd.exe	tasklist.exe
PID 4328 wrote to memory of 4944	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 4944	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 4944	4328	cmd.exe	findstr.exe
PID 4328 wrote to memory of 3908	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3908	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3908	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4592	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4592	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4592	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3572	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3572	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 3572	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 4584	4328	cmd.exe	Soldiers.pif
PID 4328 wrote to memory of 4584	4328	cmd.exe	Soldiers.pif
PID 4328 wrote to memory of 4584	4328	cmd.exe	Soldiers.pif
PID 4328 wrote to memory of 2404	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 2404	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 2404	4328	cmd.exe	PING.EXE
PID 4584 wrote to memory of 1200	4584	Soldiers.pif	cmd.exe
PID 4584 wrote to memory of 1200	4584	Soldiers.pif	cmd.exe
PID 4584 wrote to memory of 1200	4584	Soldiers.pif	cmd.exe
PID 4584 wrote to memory of 2428	4584	Soldiers.pif	RegAsm.exe
PID 4584 wrote to memory of 2428	4584	Soldiers.pif	RegAsm.exe
PID 4584 wrote to memory of 2428	4584	Soldiers.pif	RegAsm.exe
PID 4584 wrote to memory of 2428	4584	Soldiers.pif	RegAsm.exe
PID 4584 wrote to memory of 2428	4584	Soldiers.pif	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4588

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c md 0221
4⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 0221\Soldiers.pif
4⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Triangle + Ave + Tray 0221\o
4⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\0221\Soldiers.pif
0221\Soldiers.pif 0221\o
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit
2⤵
- Drops startup file
PID:1200

C:\Users\Admin\AppData\Local\Temp\0221\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\0221\RegAsm.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0221\RegAsm.exe
Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0221\Soldiers.pif
Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0221\o
Filesize
507KB

MD5
fc2e0f6ae9c49f4c1f73e1a455bda758

SHA1
00297b73b0b5152c46e8a5517c10660fa37b1724

SHA256
d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2

SHA512
c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ave
Filesize
282KB

MD5
2af9a11316c5ec31d8429dd37e50b06b

SHA1
cee13a90c0ba136825716f2dd1d517ec55bc3777

SHA256
a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0

SHA512
2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environmental
Filesize
184KB

MD5
4a094b9a89ae4c55768e8e012ee4d023

SHA1
9d625903d40e8563a91171db01549302acb26091

SHA256
8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185

SHA512
c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Finest
Filesize
286KB

MD5
190d5cc5f06756ecfd8284f7ca962cba

SHA1
0192bc94f63a4d999848d18b5b3400f53bc266ea

SHA256
c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2

SHA512
e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newsletters
Filesize
26KB

MD5
1c4cabf20ffeef1a7d9e71d77d5c62fa

SHA1
b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656

SHA256
8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0

SHA512
39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reaching
Filesize
292KB

MD5
c3a422b148a736804f525f481f289d2d

SHA1
2cead45c5bdcc21213701bc92f45d2ab3e9e7258

SHA256
520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254

SHA512
ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rice
Filesize
41KB

MD5
0b0c7642bf84588d7fb643e251001b81

SHA1
4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd

SHA256
047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec

SHA512
09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols
Filesize
33KB

MD5
ced8fcd39719d599d0f4d9561e6fe507

SHA1
59eb5f73d676efae575623e546978d42decf6260

SHA256
1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e

SHA512
a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tons
Filesize
89KB

MD5
639ac7a58107cc48b3d0f9ea512c4fae

SHA1
a34aede82b0042f6e87902fbdd8e4a3ead6746f8

SHA256
72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef

SHA512
794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tray
Filesize
12KB

MD5
83838b9779309c6deff2ecd321607cea

SHA1
09e321410d80ea507e8426de23967db9d9478e72

SHA256
6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c

SHA512
5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Triangle
Filesize
213KB

MD5
530605e3eccc1595d537b0baeabf2b36

SHA1
6a52cb76c3b5a615895f85e565cb219d5da56416

SHA256
86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1

SHA512
e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614

Download Submit
memory/2428-40-0x0000000005510000-0x0000000005AB6000-memory.dmp

Filesize
5.6MB

Download
memory/2428-35-0x00000000007C0000-0x00000000007D6000-memory.dmp

Filesize
88KB

Download
memory/2428-38-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2428-39-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2428-41-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/2428-42-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/2428-45-0x0000000005E60000-0x0000000005EFC000-memory.dmp

Filesize
624KB

Download
memory/2428-46-0x0000000006390000-0x00000000063F6000-memory.dmp

Filesize
408KB

Download
memory/2428-47-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/2428-48-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/4584-34-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4584-25-0x0000000077DB1000-0x0000000077ED3000-memory.dmp

Filesize
1.1MB

Download