asyncrat | 34ddc970cca5e3a8646c6355d21d74c3c6405871f14306740b420395c3df65a7

General

Target

Bygay Ultimatum.exe
Size

111KB
MD5

69a08abd99af2c0de3ddae4f041579e2
SHA1

de04d6d17aea96d673f0ded3cb5731d4b62b97bc
SHA256

34ddc970cca5e3a8646c6355d21d74c3c6405871f14306740b420395c3df65a7
SHA512

bd1244e34d6fa7fa080e272fe5371e6f1318a90b864da18aff14b999496fc64d1bb9a4573d6ce749f20cda631a05f64bdbdb86c100840cb1171eedaa29947b25
SSDEEP

3072:p1HXoZq4xFSz8BIVJ91frkQIi/URe8642ZCUeFQ:fXSq4HSz8BIwBi/UM86xleF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

polaris1314-38723.portmap.host:38723

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Bygay Ultimate.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

Bygay Ultimate.exesvchost.exe

pid process

2248 Bygay Ultimate.exe
2556 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2416 timeout.exe

pid	process
2704	schtasks.exe

pid	process
2416	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Bygay Ultimate.exesvchost.exe

pid	process
2248	Bygay Ultimate.exe
2248	Bygay Ultimate.exe
2248	Bygay Ultimate.exe
2248	Bygay Ultimate.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Bygay Ultimate.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2248	Bygay Ultimate.exe
Token: SeDebugPrivilege	2248	Bygay Ultimate.exe
Token: SeDebugPrivilege	2556	svchost.exe
Token: SeDebugPrivilege	2556	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Bygay Ultimatum.exeBygay Ultimate.execmd.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 2248	2196	Bygay Ultimatum.exe	Bygay Ultimate.exe
PID 2196 wrote to memory of 2248	2196	Bygay Ultimatum.exe	Bygay Ultimate.exe
PID 2196 wrote to memory of 2248	2196	Bygay Ultimatum.exe	Bygay Ultimate.exe
PID 2248 wrote to memory of 2596	2248	Bygay Ultimate.exe	cmd.exe
PID 2248 wrote to memory of 2596	2248	Bygay Ultimate.exe	cmd.exe
PID 2248 wrote to memory of 2596	2248	Bygay Ultimate.exe	cmd.exe
PID 2248 wrote to memory of 2508	2248	Bygay Ultimate.exe	cmd.exe
PID 2248 wrote to memory of 2508	2248	Bygay Ultimate.exe	cmd.exe
PID 2248 wrote to memory of 2508	2248	Bygay Ultimate.exe	cmd.exe
PID 2596 wrote to memory of 2704	2596	cmd.exe	schtasks.exe
PID 2596 wrote to memory of 2704	2596	cmd.exe	schtasks.exe
PID 2596 wrote to memory of 2704	2596	cmd.exe	schtasks.exe
PID 2508 wrote to memory of 2416	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2416	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2416	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2556	2508	cmd.exe	svchost.exe
PID 2508 wrote to memory of 2556	2508	cmd.exe	svchost.exe
PID 2508 wrote to memory of 2556	2508	cmd.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bygay Ultimatum.exe
"C:\Users\Admin\AppData\Local\Temp\Bygay Ultimatum.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\Bygay Ultimate.exe
"C:\Users\Admin\AppData\Local\Temp\Bygay Ultimate.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
4⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2416

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bygay Ultimate.exe
Filesize
67KB

MD5
94bbbe48c09379faa010ac277482e08f

SHA1
4e291be001c08a57a94e26f35ed5312408666904

SHA256
1c11f8605d446170a2f078188dc1738974cc4cf85b26d6866eda542cf5af960c

SHA512
d6272d89782a396475cb3f990906855f968fdffbe61b08e4c278670ea69c3f0481a929efed2ac5b35c22b4e7a83b1b9d0526341f853d933f3cb7b78162905085

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259A.tmp.bat
Filesize
154B

MD5
d2fb4390f863da2f324f06b009d3c7df

SHA1
6238b15668f0191a37d3042565c63c9b116b734f

SHA256
7dc5998c6adaa56e0b16de4eede8b4d4b5aa62fde0ffcb35c655a57d168cff64

SHA512
ae65dc98ed455509bff48925f0ed6b08cfee9fa38c66ea17c474439e45c9b791e7aab51badc5d94308d43798a25c81c9297ae2f02949970ee30fd2ab121be0f0

Download Submit
memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000A20000-0x0000000000A42000-memory.dmp

Filesize
136KB

Download
memory/2248-7-0x00000000012E0000-0x00000000012F6000-memory.dmp

Filesize
88KB

Download
memory/2248-8-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-18-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-20-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-24-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads