asyncrat | a2858616779ffd82b7ca8897429270ea737990e882f0c165c75e9cd8a9fc0ae8

General

Target

Byte Username Checker.exe
Size

392KB
MD5

a61034d8a54f5ae3c5ca31f2a9efea9e
SHA1

05ae35a5dd8483e205af45e2e92d3884cd167281
SHA256

e001cdb30543127e5a86b90645e14b0d43ae319a5b872a270177642d24b2fc0b
SHA512

ec8e80fc985005274704dffdc8a12c389459511f0783f614e1f83de52592706ec47d98462af21c3bf848c86f8b875c718adea56659628b300a8a64c6f2680ca1
SSDEEP

6144:tHV6bX8UA8BcJgUpL8SNFDu/O63hGSb/DB5pr0+UTsWkef1XwxQ1nId:t1BULB+p5bu9TlLfUTdwq1n

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

3.17.177.175:1337

Mutex

etzgrlmsnolisgbioe

Attributes

delay
5
install
true
install_file
updater.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Documents\recOpLdTdWYZU.exe	family_asyncrat

Executes dropped EXE 3 IoCs

Processes:

recfkkddzZRYM.exerecOpLdTdWYZU.exeupdater.exe

pid process

2892 recfkkddzZRYM.exe
1404 recOpLdTdWYZU.exe
772 updater.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
2484 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 2892 WerFault.exe recfkkddzZRYM.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2488 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

624 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

recOpLdTdWYZU.exeupdater.exe

pid process

1404 recOpLdTdWYZU.exe
1404 recOpLdTdWYZU.exe
1404 recOpLdTdWYZU.exe
772 updater.exe

pid	process
2892	recfkkddzZRYM.exe
1404	recOpLdTdWYZU.exe
772	updater.exe

pid	process
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe
2484	WerFault.exe

pid	pid_target	process	target process
2484	2892	WerFault.exe	recfkkddzZRYM.exe

pid	process
2488	schtasks.exe

pid	process
624	timeout.exe

pid	process
1404	recOpLdTdWYZU.exe
1404	recOpLdTdWYZU.exe
1404	recOpLdTdWYZU.exe
772	updater.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

recfkkddzZRYM.exerecOpLdTdWYZU.exeupdater.exe

description	pid	process
Token: SeDebugPrivilege	2892	recfkkddzZRYM.exe
Token: SeDebugPrivilege	1404	recOpLdTdWYZU.exe
Token: SeDebugPrivilege	772	updater.exe
Token: SeDebugPrivilege	772	updater.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Byte Username Checker.exerecfkkddzZRYM.exerecOpLdTdWYZU.execmd.exe

description	pid	process	target process
PID 2732 wrote to memory of 2892	2732	Byte Username Checker.exe	recfkkddzZRYM.exe
PID 2732 wrote to memory of 2892	2732	Byte Username Checker.exe	recfkkddzZRYM.exe
PID 2732 wrote to memory of 2892	2732	Byte Username Checker.exe	recfkkddzZRYM.exe
PID 2732 wrote to memory of 2892	2732	Byte Username Checker.exe	recfkkddzZRYM.exe
PID 2732 wrote to memory of 1404	2732	Byte Username Checker.exe	recOpLdTdWYZU.exe
PID 2732 wrote to memory of 1404	2732	Byte Username Checker.exe	recOpLdTdWYZU.exe
PID 2732 wrote to memory of 1404	2732	Byte Username Checker.exe	recOpLdTdWYZU.exe
PID 2892 wrote to memory of 2484	2892	recfkkddzZRYM.exe	WerFault.exe
PID 2892 wrote to memory of 2484	2892	recfkkddzZRYM.exe	WerFault.exe
PID 2892 wrote to memory of 2484	2892	recfkkddzZRYM.exe	WerFault.exe
PID 2892 wrote to memory of 2484	2892	recfkkddzZRYM.exe	WerFault.exe
PID 1404 wrote to memory of 2488	1404	recOpLdTdWYZU.exe	schtasks.exe
PID 1404 wrote to memory of 2488	1404	recOpLdTdWYZU.exe	schtasks.exe
PID 1404 wrote to memory of 2488	1404	recOpLdTdWYZU.exe	schtasks.exe
PID 1404 wrote to memory of 2252	1404	recOpLdTdWYZU.exe	cmd.exe
PID 1404 wrote to memory of 2252	1404	recOpLdTdWYZU.exe	cmd.exe
PID 1404 wrote to memory of 2252	1404	recOpLdTdWYZU.exe	cmd.exe
PID 2252 wrote to memory of 624	2252	cmd.exe	timeout.exe
PID 2252 wrote to memory of 624	2252	cmd.exe	timeout.exe
PID 2252 wrote to memory of 624	2252	cmd.exe	timeout.exe
PID 2252 wrote to memory of 772	2252	cmd.exe	updater.exe
PID 2252 wrote to memory of 772	2252	cmd.exe	updater.exe
PID 2252 wrote to memory of 772	2252	cmd.exe	updater.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Byte Username Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Byte Username Checker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\Documents\recfkkddzZRYM.exe
  "C:\Users\Admin\Documents\recfkkddzZRYM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 996
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2484
- C:\Users\Admin\Documents\recOpLdTdWYZU.exe
  "C:\Users\Admin\Documents\recOpLdTdWYZU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'updater"' /tr "'C:\Users\Admin\AppData\Roaming\updater.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2488
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp68E1.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:624
  - - C:\Users\Admin\AppData\Roaming\updater.exe
      "C:\Users\Admin\AppData\Roaming\updater.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp68E1.tmp.bat

Filesize
151B

MD5
6edda596aaf67544a6db3a831e3192a5

SHA1
d1bd52dbf11b785256bd07535003fddd30c254c0

SHA256
117eda7ea4edc3c0e92eedaab770a1d1736fc6ae41ab34fb51361c0c960338dc

SHA512
603ab628d8d3f18643ae99dcd48e0466d9b2b1f97b38c5dce897aae12b8c623992d2a21deebb4849a9d419f06b7bb3eca9d2e3bc53f9f40056360ed82d357344

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe

Filesize
47.8MB

MD5
f550820d8d9b77a9a8330a75f0ef8c3e

SHA1
139efa89241ec77230c485a9bb35651413053337

SHA256
729003f2c203594a6b6a933489e71c41b75bc0194c6ac1d80915469c7bc29675

SHA512
e26d3dddd0ff3ea6297af118aa1eb0039928b3c5058fc9aa0b4da728a0b191f384966de9dcc3d579f904088f8a0b4dfc2b20a0e9e873d926acb5139407ebe87c

Download Submit
C:\Users\Admin\Documents\recOpLdTdWYZU.exe

Filesize
48KB

MD5
ff1bf6b595673b407355cce48faea587

SHA1
fb0090a715202f5784c45a0e787863967c1cc877

SHA256
4668ac42bb8c2e31e0127efe0474501d5a21745fae025f0c7f954e349739c188

SHA512
9dafb7bb809832f7433aebd891b77dc3b0a28428cf801a29f4bdb42738d7cb812246d047f5ab66c76546f44aa4a9af436d0d2c037c1bd01871b3f7da9a6bb08c

Download Submit
C:\Users\Admin\Documents\recfkkddzZRYM.exe

Filesize
327KB

MD5
64168fb87c1fe643d3e0f09c1960a8be

SHA1
d83dcba21fb4a37a884b82a5e84201f86a03ff9e

SHA256
414b46f4e19f2600efca16bed60c775371c1ba764cb444812951d31ba08b2321

SHA512
b46751370178baed48b9d316d7b63969d03a9430af7a9078cdd137615f0c0abf03acf55b1530bf289a741eda681c8492affdd15df290465742b7c609624995d1

Download Submit
memory/772-33-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/1404-13-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2732-0-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp

Filesize
4KB

Download
memory/2732-12-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-14-0x0000000001120000-0x0000000001178000-memory.dmp

Filesize
352KB

Download
memory/2892-15-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads