asyncrat | 3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe
Size

48.5MB
MD5

645793d9e9330d225a3b3dfd20e20064
SHA1

4344014c90b9a3ec79750998cdc5b68df983cd59
SHA256

3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0
SHA512

c8957f5fdf202f73e68d5e2397799f6f420b123df91743330e4d2495675c67e4d74a10e0030fb1c4d314dd1173a3b3c905db752f5d87600e8a8dcc18efb5297b
SSDEEP

1572864:Pwc6WzPrjxZFn1D0mNt1XhIEuX6LwkLXZwy:Z7BZd3f8uw

Score

10^/10

asyncrat zgrat default execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

5512.sytes.net:6606

5512.sytes.net:7707

5512.sytes.net:8808

95.211.208.153:6606

95.211.208.153:7707

95.211.208.153:8808

Mutex

Llg9a02PERRO

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/3056-10-0x0000000004B30000-0x0000000004D50000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-24-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-23-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-31-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-29-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-26-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-85-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-84-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-81-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-79-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-78-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-75-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-73-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-71-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-69-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-68-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-65-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-63-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-61-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-59-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-58-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-55-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-53-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-51-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-50-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-47-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-46-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-43-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-41-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-39-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-37-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-35-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3056-33-0x0000000004B30000-0x0000000004D4A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects file containing reversed ASEP Autorun registry keys 1 IoCs

resource	yara_rule
behavioral1/memory/3200-4922-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Executes dropped EXE 3 IoCs

pid	Process
3056	Dfzxuwcml.exe
2600	windows-tubemate-setup.exe
2652	windows-tubemate-setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe
620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe
2600	windows-tubemate-setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kpteiazy = "C:\\Users\\Admin\\AppData\\Roaming\\Kpteiazy.exe"	Dfzxuwcml.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 3200	3056	Dfzxuwcml.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	windows-tubemate-setup.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3056	Dfzxuwcml.exe
Token: SeDebugPrivilege	3056	Dfzxuwcml.exe
Token: SeDebugPrivilege	3200	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2648	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	28
PID 620 wrote to memory of 2648	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	28
PID 620 wrote to memory of 2648	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	28
PID 620 wrote to memory of 2648	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	28
PID 620 wrote to memory of 3056	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	30
PID 620 wrote to memory of 3056	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	30
PID 620 wrote to memory of 3056	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	30
PID 620 wrote to memory of 3056	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	30
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 620 wrote to memory of 2600	620	3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe	31
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 2600 wrote to memory of 2652	2600	windows-tubemate-setup.exe	32
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34
PID 3056 wrote to memory of 3200	3056	Dfzxuwcml.exe	34

C:\Users\Admin\AppData\Local\Temp\3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe
"C:\Users\Admin\AppData\Local\Temp\3644efb050a5e1733ca9dc4f6a32fba33883497c41121cf5a7de4837236690e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbgBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAZABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdAB4ACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Users\Admin\AppData\Local\Dfzxuwcml.exe
  "C:\Users\Admin\AppData\Local\Dfzxuwcml.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\is-4MTUO.tmp\windows-tubemate-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4MTUO.tmp\windows-tubemate-setup.tmp" /SL5="$80120,48138664,121344,C:\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5968.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6D97.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Dfzxuwcml.exe

Filesize
2.2MB

MD5
577b8f4cd65df6e3cd42d7d37c7917cf

SHA1
5033814e5aade04682bf7cb7fca3e32c46c5512a

SHA256
d4360ef0464f7620fe0e3d5185adcdc0781aacfe23510d2c6c2e85c1095c8948

SHA512
a42dab76abe41e53d7eee1ff3cec3092b26e1a05bdd6c91e8f12e35f6f14fc36df5ef918d0a2818d9f549db1e8ace169ff8ed3f441253a9a27b89c1ec816ff9d

Download Submit
\Users\Admin\AppData\Local\Temp\is-4MTUO.tmp\windows-tubemate-setup.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Local\Temp\windows-tubemate-setup.exe

Filesize
46.3MB

MD5
91d80adacf5e1e6686c209315197e4d1

SHA1
381a7ae480e94829d1173593af2eec981d47863a

SHA256
edf5656d1d254315ebe90b6365ee72f422cf64248da8cf885a9aa9dade46b824

SHA512
9624bf5188c675a25635f23dfe38c886e1cd2be5f69f7bec360ffe8d467c5ecff2836906fe1a129b96a3ea26c91b9fc6149002af5c9dd62c603cbe9f5d2e121a

Download Submit
memory/2600-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-4907-0x00000000022D0000-0x000000000231C000-memory.dmp

Filesize
304KB

Download
memory/3056-61-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-31-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-29-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-26-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-85-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-84-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-81-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-79-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-78-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-75-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-73-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-71-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-69-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-68-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-65-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-24-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-4906-0x0000000002270000-0x00000000022CC000-memory.dmp

Filesize
368KB

Download
memory/3056-63-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-23-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-59-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-58-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-55-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-53-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-51-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-50-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-47-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-46-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-43-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-41-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-39-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-37-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-35-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-33-0x0000000004B30000-0x0000000004D4A000-memory.dmp

Filesize
2.1MB

Download
memory/3056-4908-0x0000000004960000-0x00000000049B4000-memory.dmp

Filesize
336KB

Download
memory/3056-9-0x0000000000AE0000-0x0000000000D12000-memory.dmp

Filesize
2.2MB

Download
memory/3056-10-0x0000000004B30000-0x0000000004D50000-memory.dmp

Filesize
2.1MB

Download
memory/3200-4922-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download