asyncrat | 3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

645793d9e9330d225a3b3dfd20e20064.exe
Size

48.5MB
MD5

645793d9e9330d225a3b3dfd20e20064
SHA1

4344014c90b9a3ec79750998cdc5b68df983cd59
SHA256

3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0
SHA512

c8957f5fdf202f73e68d5e2397799f6f420b123df91743330e4d2495675c67e4d74a10e0030fb1c4d314dd1173a3b3c905db752f5d87600e8a8dcc18efb5297b
SSDEEP

1572864:Pwc6WzPrjxZFn1D0mNt1XhIEuX6LwkLXZwy:Z7BZd3f8uw

Score

10^/10

asyncrat zgrat default execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

5512.sytes.net:6606

5512.sytes.net:7707

5512.sytes.net:8808

95.211.208.153:6606

95.211.208.153:7707

95.211.208.153:8808

Mutex

Llg9a02PERRO

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/1172-18-0x0000000005190000-0x00000000053B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-43-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-67-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-85-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-101-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-99-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-105-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-103-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-97-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-95-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-93-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-91-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-89-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-88-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-83-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-81-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-79-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-77-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-75-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-73-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-71-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-69-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-65-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-63-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-61-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-59-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-57-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-55-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-51-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-49-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-42-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-53-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-47-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/1172-45-0x0000000005190000-0x00000000053AA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	645793d9e9330d225a3b3dfd20e20064.exe

Executes dropped EXE 3 IoCs

pid	Process
1172	Dfzxuwcml.exe
4780	windows-tubemate-setup.exe
1652	windows-tubemate-setup.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kpteiazy = "C:\\Users\\Admin\\AppData\\Roaming\\Kpteiazy.exe"	Dfzxuwcml.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 4512	1172	Dfzxuwcml.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1172	Dfzxuwcml.exe
Token: SeDebugPrivilege	1172	Dfzxuwcml.exe
Token: SeDebugPrivilege	4512	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2644	4084	645793d9e9330d225a3b3dfd20e20064.exe	80
PID 4084 wrote to memory of 2644	4084	645793d9e9330d225a3b3dfd20e20064.exe	80
PID 4084 wrote to memory of 2644	4084	645793d9e9330d225a3b3dfd20e20064.exe	80
PID 4084 wrote to memory of 1172	4084	645793d9e9330d225a3b3dfd20e20064.exe	82
PID 4084 wrote to memory of 1172	4084	645793d9e9330d225a3b3dfd20e20064.exe	82
PID 4084 wrote to memory of 1172	4084	645793d9e9330d225a3b3dfd20e20064.exe	82
PID 4084 wrote to memory of 4780	4084	645793d9e9330d225a3b3dfd20e20064.exe	83
PID 4084 wrote to memory of 4780	4084	645793d9e9330d225a3b3dfd20e20064.exe	83
PID 4084 wrote to memory of 4780	4084	645793d9e9330d225a3b3dfd20e20064.exe	83
PID 4780 wrote to memory of 1652	4780	windows-tubemate-setup.exe	84
PID 4780 wrote to memory of 1652	4780	windows-tubemate-setup.exe	84
PID 4780 wrote to memory of 1652	4780	windows-tubemate-setup.exe	84
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87
PID 1172 wrote to memory of 4512	1172	Dfzxuwcml.exe	87

C:\Users\Admin\AppData\Local\Temp\645793d9e9330d225a3b3dfd20e20064.exe
"C:\Users\Admin\AppData\Local\Temp\645793d9e9330d225a3b3dfd20e20064.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbgBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAZABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdAB4ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Users\Admin\AppData\Local\Dfzxuwcml.exe
  "C:\Users\Admin\AppData\Local\Dfzxuwcml.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\is-96H7F.tmp\windows-tubemate-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-96H7F.tmp\windows-tubemate-setup.tmp" /SL5="$100050,48138664,121344,C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
    3⤵
    - Executes dropped EXE
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dfzxuwcml.exe

Filesize
2.2MB

MD5
577b8f4cd65df6e3cd42d7d37c7917cf

SHA1
5033814e5aade04682bf7cb7fca3e32c46c5512a

SHA256
d4360ef0464f7620fe0e3d5185adcdc0781aacfe23510d2c6c2e85c1095c8948

SHA512
a42dab76abe41e53d7eee1ff3cec3092b26e1a05bdd6c91e8f12e35f6f14fc36df5ef918d0a2818d9f549db1e8ace169ff8ed3f441253a9a27b89c1ec816ff9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfknuha0.j0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-96H7F.tmp\windows-tubemate-setup.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe

Filesize
46.3MB

MD5
91d80adacf5e1e6686c209315197e4d1

SHA1
381a7ae480e94829d1173593af2eec981d47863a

SHA256
edf5656d1d254315ebe90b6365ee72f422cf64248da8cf885a9aa9dade46b824

SHA512
9624bf5188c675a25635f23dfe38c886e1cd2be5f69f7bec360ffe8d467c5ecff2836906fe1a129b96a3ea26c91b9fc6149002af5c9dd62c603cbe9f5d2e121a

Download Submit
memory/1172-55-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-49-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-4971-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/1172-4966-0x00000000058F0000-0x0000000005944000-memory.dmp

Filesize
336KB

Download
memory/1172-18-0x0000000005190000-0x00000000053B0000-memory.dmp

Filesize
2.1MB

Download
memory/1172-89-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-4964-0x00000000055D0000-0x000000000561C000-memory.dmp

Filesize
304KB

Download
memory/1172-4963-0x0000000005530000-0x000000000558C000-memory.dmp

Filesize
368KB

Download
memory/1172-22-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/1172-28-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/1172-88-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-4960-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/1172-43-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-67-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-85-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-101-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-99-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-105-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-14-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/1172-12-0x00000000005F0000-0x0000000000822000-memory.dmp

Filesize
2.2MB

Download
memory/1172-45-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-47-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-103-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-97-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-95-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-93-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-53-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-42-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-51-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-91-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-57-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-59-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-61-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-63-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-65-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-69-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-71-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-83-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-81-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-79-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-77-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-75-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/1172-73-0x0000000005190000-0x00000000053AA000-memory.dmp

Filesize
2.1MB

Download
memory/2644-15-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/2644-154-0x0000000007780000-0x0000000007823000-memory.dmp

Filesize
652KB

Download
memory/2644-13-0x0000000005160000-0x0000000005196000-memory.dmp

Filesize
216KB

Download
memory/2644-142-0x0000000007740000-0x0000000007772000-memory.dmp

Filesize
200KB

Download
memory/2644-143-0x00000000741A0000-0x00000000741EC000-memory.dmp

Filesize
304KB

Download
memory/2644-153-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/2644-155-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/2644-11-0x00000000738CE000-0x00000000738CF000-memory.dmp

Filesize
4KB

Download
memory/2644-158-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/2644-16-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/2644-157-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/2644-2520-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/2644-156-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/2644-19-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/2644-4965-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/2644-1687-0x0000000007C90000-0x0000000007C9E000-memory.dmp

Filesize
56KB

Download
memory/2644-2063-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

Filesize
80KB

Download
memory/2644-140-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/2644-2779-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/2644-35-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/2644-21-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/2644-231-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/2644-20-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/2644-17-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/2644-141-0x0000000006CA0000-0x0000000006CEC000-memory.dmp

Filesize
304KB

Download
memory/4512-4970-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4512-4974-0x0000000005950000-0x00000000059EC000-memory.dmp

Filesize
624KB

Download