asyncrat | e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944

Resubmissions

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Size

231KB
MD5

144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1

1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
SHA512

2697bde82afdef6b3e9079e9add7a9026fffec2a9093932d6c05256fe73df0ef9a2fac4f26de28e2b5d87cc7dd0651dac80baa2a3841148409ab2c3ea32b6882
SSDEEP

6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

66.235.168.242:4449

Mutex

scgofjarww

Attributes

delay
1
install
true
install_file
Loader.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

66.235.168.242:3232

Attributes

delay
1
install
true
install_file
Loaader.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\Infected.exe	family_asyncrat

Detects executables attemping to enumerate video devices using WMI 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2892-7-0x0000000000DE0000-0x0000000000DF8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
C:\Users\Admin\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2516-14-0x0000000000D10000-0x0000000000D26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/1560-56-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/1600-62-0x00000000010F0000-0x0000000001106000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing the string DcRatBy 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/2516-14-0x0000000000D10000-0x0000000000D26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/1600-62-0x00000000010F0000-0x0000000001106000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2560-24-0x0000000000DF0000-0x0000000000E0E000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 5 IoCs

Processes:

Client.exeInfected.exeWinDefend.exeLoader.exeLoaader.exe

pid process

2892 Client.exe
2516 Infected.exe
2560 WinDefend.exe
1560 Loader.exe
1600 Loaader.exe

pid	process
2892	Client.exe
2516	Infected.exe
2560	WinDefend.exe
1560	Loader.exe
1600	Loaader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinDefend.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe"	WinDefend.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api64.ipify.org
5 api64.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1736 schtasks.exe
2692 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2164 timeout.exe
112 timeout.exe

flow	ioc
4	api64.ipify.org
5	api64.ipify.org

pid	process
1736	schtasks.exe
2692	schtasks.exe

pid	process
2164	timeout.exe
112	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Infected.exeClient.exeLoader.exe

pid	process
2516	Infected.exe
2516	Infected.exe
2516	Infected.exe
2892	Client.exe
2892	Client.exe
2892	Client.exe
1560	Loader.exe
1560	Loader.exe
1560	Loader.exe
1560	Loader.exe
1560	Loader.exe
1560	Loader.exe
1560	Loader.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Client.exeWinDefend.exeInfected.exeLoader.exeLoaader.exe

description	pid	process
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	2560	WinDefend.exe
Token: SeDebugPrivilege	2516	Infected.exe
Token: SeDebugPrivilege	1560	Loader.exe
Token: SeDebugPrivilege	1600	Loaader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Loader.exe

pid process

1560 Loader.exe

pid	process
1560	Loader.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exeInfected.execmd.execmd.exeClient.execmd.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 2892	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Client.exe
PID 2168 wrote to memory of 2892	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Client.exe
PID 2168 wrote to memory of 2892	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Client.exe
PID 2168 wrote to memory of 2516	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Infected.exe
PID 2168 wrote to memory of 2516	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Infected.exe
PID 2168 wrote to memory of 2516	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Infected.exe
PID 2168 wrote to memory of 2560	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 2168 wrote to memory of 2560	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 2168 wrote to memory of 2560	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 2168 wrote to memory of 2560	2168	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 2516 wrote to memory of 2408	2516	Infected.exe	cmd.exe
PID 2516 wrote to memory of 2408	2516	Infected.exe	cmd.exe
PID 2516 wrote to memory of 2408	2516	Infected.exe	cmd.exe
PID 2516 wrote to memory of 1740	2516	Infected.exe	cmd.exe
PID 2516 wrote to memory of 1740	2516	Infected.exe	cmd.exe
PID 2516 wrote to memory of 1740	2516	Infected.exe	cmd.exe
PID 2408 wrote to memory of 1736	2408	cmd.exe	schtasks.exe
PID 2408 wrote to memory of 1736	2408	cmd.exe	schtasks.exe
PID 2408 wrote to memory of 1736	2408	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 2164	1740	cmd.exe	timeout.exe
PID 1740 wrote to memory of 2164	1740	cmd.exe	timeout.exe
PID 1740 wrote to memory of 2164	1740	cmd.exe	timeout.exe
PID 2892 wrote to memory of 1620	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 1620	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 1620	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 1368	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 1368	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 1368	2892	Client.exe	cmd.exe
PID 1620 wrote to memory of 2692	1620	cmd.exe	schtasks.exe
PID 1620 wrote to memory of 2692	1620	cmd.exe	schtasks.exe
PID 1620 wrote to memory of 2692	1620	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 112	1368	cmd.exe	timeout.exe
PID 1368 wrote to memory of 112	1368	cmd.exe	timeout.exe
PID 1368 wrote to memory of 112	1368	cmd.exe	timeout.exe
PID 1368 wrote to memory of 1560	1368	cmd.exe	Loader.exe
PID 1368 wrote to memory of 1560	1368	cmd.exe	Loader.exe
PID 1368 wrote to memory of 1560	1368	cmd.exe	Loader.exe
PID 1740 wrote to memory of 1600	1740	cmd.exe	Loaader.exe
PID 1740 wrote to memory of 1600	1740	cmd.exe	Loaader.exe
PID 1740 wrote to memory of 1600	1740	cmd.exe	Loaader.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'
4⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1287.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:112

C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'
4⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1258.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2164

C:\Users\Admin\AppData\Roaming\Loaader.exe
"C:\Users\Admin\AppData\Roaming\Loaader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
74KB

MD5
7ac0adf482250172280defec7a7054da

SHA1
20a25f0da68c309d062c4628ead8b6f377ac7969

SHA256
3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5

SHA512
d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Infected.exe
Filesize
63KB

MD5
b8d455465260a845db35492fda5a8888

SHA1
287b0ba049ad8f3be802d2224efb86dba72d3221

SHA256
a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282

SHA512
5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
Filesize
87KB

MD5
5fc6a541845fdafb597ddfb98fa28b54

SHA1
22e5dd50ddd71bc39c812db0f9b164ca10c556dd

SHA256
64e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117

SHA512
f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1258.tmp.bat
Filesize
151B

MD5
7d3d9f02d2ee70d5c62d0d9de51ba9a4

SHA1
becf2a5c468568cc4d32ddf53567c2ceaf47d650

SHA256
7c473a5f89e887c5068bc15ee043c2714cc7869cfb39a6061adb2f1d8dae0286

SHA512
1463ab8e977c0d8e103b9b110da8435796a254f976ba232db6a34293111d5750a1c8a1b74423f58cfa80fcbb02102935fb22cf0ccff72c9b13ea38a3d0906b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1287.tmp.bat
Filesize
150B

MD5
1836d5b4bb3f18db958d435c9b997edf

SHA1
96b6abbcdac0358972d1945f5756a2eb1a346829

SHA256
b117f452272590b4b059d9eaa7ecbc63df88513eb5fefad1fdeb1ea9deef8404

SHA512
6829fa060da1852219591be845bf5a2e2591304140f1ca4587a1bfeaf0e850e987d650fa431552b6361265e644188410c3ac7e1b1506367bf36a258ffe71ca7b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Public\SSSS.log
Filesize
2KB

MD5
86c33e5ec77183c5e4211bdc7de0a3a6

SHA1
c2712f529392ce8ddcf40dab202523612a9c7e4b

SHA256
f5db1dcebc061519ba9f7efdaa0b3acbda12cdeeb921f4a6f1e8477abd0a00fb

SHA512
6f7986e83dad9d774abc653b28edb2011d915d028705834f100bd409a5af06168efd98e809abe7687d3b683ee109bc5026384c5c434c719ed6916c4bc6cbec81

Download Submit
C:\Users\Public\SSSS.log
Filesize
2KB

MD5
1d1d022160ff6250d942bc25267615aa

SHA1
9124972b921877f6c126ee6b9c2be7abffce80cc

SHA256
a3d4aa572817593af1fde6eb09b8b9bb793c86421140ee6ee2460387ec0d8cf8

SHA512
e960439f55c88c93e02569b64bd1b03545ffc72e4fa4d3743e35b703395cccdb65815a0b0122c739fcc2ef4727b5fd0e1807eb5492b9061ea62fb9cc4ee089df

Download Submit
C:\Users\Public\SSSS.log
Filesize
2KB

MD5
b30393bc46e51eaa92361b16a6714a64

SHA1
70dada0596722670a89c3644e98fd1e69a950ba2

SHA256
21c87b08b49ae300708784515cf92ff51f45a498d485e8868c1067ae15734bcf

SHA512
cd4c977e385b81de878281f7df087b0bb744db68d6fc6a72b4fad710d5aac6aff3d7e18b2cb0100d3076b581b889a2f8496cbad21de249f1c52cb131d1bc240f

Download Submit
C:\Users\Public\SSSS.log
Filesize
2KB

MD5
98d5aafd0831f6a84c6370780f6a3c8b

SHA1
7b0c7e5d5c386f688d27963b299898c3381d8f99

SHA256
c3843cc01bf2ae5b0a862ea08f81a65342defeeaf16b8add190445a888e6589a

SHA512
9728e6f0606875ae41012454744195d04b5b1766b6c8e95ad54d9bb1cb9b45f22b6feb5a788bb5869cf9f32f554354eb25352ceb103c00f1f88862b74f583204

Download Submit
C:\Users\Public\SSSS.log
Filesize
3KB

MD5
2c65455d6fd979cae6fd3d9efbef0ce2

SHA1
dff9ecd3f8397a2753ef5dae8991c33c85cdc106

SHA256
f6f2998b65444722455d7159ffa16cf68e09ae2a6329b3af4335f7c7c872c6d2

SHA512
a78d3ae0c175b550f577d16e126b743b266138194d26ce84a7d9d6c085a0d29fa3d7baeaf01e1018b35a4b508829d554aba22f365d3f0bf1b4ebe7df13ce3c04

Download Submit
C:\Users\Public\SSSS.log
Filesize
4KB

MD5
5e806f43aea98baae9e1ca6624d17e49

SHA1
5cc6e26a4b04851117f5a9a6b1bc66a1d623f312

SHA256
7231f60ff43c2b2db2d431892cb1cb4f1c2c034cc6a735ab5e74df7662931ce6

SHA512
7d5bbd2b71431648d1a894c3296c74c3553cd744c4180636990d3f57c5cbf856959a808650b38bb0a24316af5f4191758556ece42aa7f276cfaad3a05d44b8dc

Download Submit
memory/1560-56-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/1600-62-0x00000000010F0000-0x0000000001106000-memory.dmp

Filesize
88KB

Download
memory/2168-23-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-0-0x000007FEF54F3000-0x000007FEF54F4000-memory.dmp

Filesize
4KB

Download
memory/2168-9-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-1-0x00000000011C0000-0x0000000001200000-memory.dmp

Filesize
256KB

Download
memory/2516-14-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/2560-26-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2560-24-0x0000000000DF0000-0x0000000000E0E000-memory.dmp

Filesize
120KB

Download
memory/2892-45-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-25-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-22-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-7-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download