asyncrat | e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944

General

Target

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Size

231KB
MD5

144f1b1c4b9cdad97d8dd1a3a89e7ea1
SHA1

1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
SHA256

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
SHA512

2697bde82afdef6b3e9079e9add7a9026fffec2a9093932d6c05256fe73df0ef9a2fac4f26de28e2b5d87cc7dd0651dac80baa2a3841148409ab2c3ea32b6882
SSDEEP

6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

66.235.168.242:3232

Attributes

delay
1
install
true
install_file
Loaader.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

66.235.168.242:4449

Mutex

scgofjarww

Attributes

delay
1
install
true
install_file
Loader.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\Infected.exe	family_asyncrat

Detects executables attemping to enumerate video devices using WMI 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Client.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
C:\Users\Admin\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral2/memory/4732-26-0x0000000000D70000-0x0000000000D86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral2/memory/2164-23-0x00000000001B0000-0x00000000001C8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing the string DcRatBy 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Infected.exe	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral2/memory/4732-26-0x0000000000D70000-0x0000000000D86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/3364-43-0x0000000000580000-0x000000000059E000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exeClient.exeInfected.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Infected.exe

Executes dropped EXE 5 IoCs

Processes:

Client.exeInfected.exeWinDefend.exeLoader.exeLoaader.exe

pid process

2164 Client.exe
4732 Infected.exe
3364 WinDefend.exe
4248 Loader.exe
1748 Loaader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinDefend.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe"	WinDefend.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api64.ipify.org
9 api64.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4488 schtasks.exe
4392 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2336 timeout.exe
1404 timeout.exe

flow	ioc
8	api64.ipify.org
9	api64.ipify.org

pid	process
4488	schtasks.exe
4392	schtasks.exe

pid	process
2336	timeout.exe
1404	timeout.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

Client.exeInfected.exeLoader.exe

pid	process
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
2164	Client.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4732	Infected.exe
4248	Loader.exe
4248	Loader.exe
4248	Loader.exe
4248	Loader.exe
4248	Loader.exe
4248	Loader.exe
4248	Loader.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Client.exeWinDefend.exeInfected.exeLoader.exeLoaader.exe

description	pid	process
Token: SeDebugPrivilege	2164	Client.exe
Token: SeDebugPrivilege	3364	WinDefend.exe
Token: SeDebugPrivilege	4732	Infected.exe
Token: SeDebugPrivilege	4248	Loader.exe
Token: SeDebugPrivilege	1748	Loaader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Loader.exe

pid process

4248 Loader.exe

pid	process
4248	Loader.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exeClient.execmd.execmd.exeInfected.execmd.execmd.exe

description	pid	process	target process
PID 3528 wrote to memory of 2164	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Client.exe
PID 3528 wrote to memory of 2164	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Client.exe
PID 3528 wrote to memory of 4732	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Infected.exe
PID 3528 wrote to memory of 4732	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	Infected.exe
PID 3528 wrote to memory of 3364	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 3528 wrote to memory of 3364	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 3528 wrote to memory of 3364	3528	e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe	WinDefend.exe
PID 2164 wrote to memory of 2560	2164	Client.exe	cmd.exe
PID 2164 wrote to memory of 2560	2164	Client.exe	cmd.exe
PID 2164 wrote to memory of 4252	2164	Client.exe	cmd.exe
PID 2164 wrote to memory of 4252	2164	Client.exe	cmd.exe
PID 4252 wrote to memory of 2336	4252	cmd.exe	timeout.exe
PID 4252 wrote to memory of 2336	4252	cmd.exe	timeout.exe
PID 2560 wrote to memory of 4488	2560	cmd.exe	schtasks.exe
PID 2560 wrote to memory of 4488	2560	cmd.exe	schtasks.exe
PID 4732 wrote to memory of 2656	4732	Infected.exe	cmd.exe
PID 4732 wrote to memory of 2656	4732	Infected.exe	cmd.exe
PID 4732 wrote to memory of 3392	4732	Infected.exe	cmd.exe
PID 4732 wrote to memory of 3392	4732	Infected.exe	cmd.exe
PID 2656 wrote to memory of 4392	2656	cmd.exe	schtasks.exe
PID 2656 wrote to memory of 4392	2656	cmd.exe	schtasks.exe
PID 3392 wrote to memory of 1404	3392	cmd.exe	timeout.exe
PID 3392 wrote to memory of 1404	3392	cmd.exe	timeout.exe
PID 4252 wrote to memory of 4248	4252	cmd.exe	Loader.exe
PID 4252 wrote to memory of 4248	4252	cmd.exe	Loader.exe
PID 3392 wrote to memory of 1748	3392	cmd.exe	Loaader.exe
PID 3392 wrote to memory of 1748	3392	cmd.exe	Loaader.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'
4⤵
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3681.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2336

C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'
4⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp37AA.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1404

C:\Users\Admin\AppData\Roaming\Loaader.exe
"C:\Users\Admin\AppData\Roaming\Loaader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
74KB

MD5
7ac0adf482250172280defec7a7054da

SHA1
20a25f0da68c309d062c4628ead8b6f377ac7969

SHA256
3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5

SHA512
d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Infected.exe
Filesize
63KB

MD5
b8d455465260a845db35492fda5a8888

SHA1
287b0ba049ad8f3be802d2224efb86dba72d3221

SHA256
a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282

SHA512
5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe
Filesize
87KB

MD5
5fc6a541845fdafb597ddfb98fa28b54

SHA1
22e5dd50ddd71bc39c812db0f9b164ca10c556dd

SHA256
64e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117

SHA512
f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3681.tmp.bat
Filesize
150B

MD5
16d32e23b641f0952edeb4108b1e7ff9

SHA1
0cfc2900151180ac1837d8765cf925f3227af688

SHA256
27131fc87e1893e1ea9dd31db25be536ee0286ffc7ac07e4c978a18e3e55e831

SHA512
f2af9d738d8d49de6305067b13f1708bdefadf1732c398d88c75808da7b45dac42459a8418741b4fdcf26b01a2558301da090f83653d74663a6a2546ed9eeda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37AA.tmp.bat
Filesize
151B

MD5
5aae3eee255badc9cce9b5d7720dbfba

SHA1
2a6490a8c79746b3d4f12f729e9abb161026e388

SHA256
b576d5a494dc95983641640f4e4a75772ed5de3dcdbf48d5e7f34116542eefb5

SHA512
d40832e5c03ee78d7a7899ac591d79b439bdd8c811052f19aee7068196cf43f42447792cd624f79dbac637b79cf289b31a85f3b2fd828c7f5602dad0c7b86a3d

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Public\SSSS.log
Filesize
4KB

MD5
356a5e273d3e4ff68bea38fb50de4fe3

SHA1
9f8e30efdb480e3b88e46d634f05b8b74f53f87e

SHA256
789c029e0f3147219fda673ee0e69fc25686af8cf8ce76578ae790d6b0887e90

SHA512
6e75f4e92a55c3c302f6ce2bc0953c4674a6edbbb96ad30db3f0db66d4a4c99159987b46f5918eba59b17d5395c2af8aeda21ed25f6fd9b5795483479e6542aa

Download Submit
memory/2164-53-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/2164-23-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/2164-38-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/2164-42-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/3364-47-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/3364-44-0x00000000028F0000-0x00000000028F6000-memory.dmp

Filesize
24KB

Download
memory/3364-46-0x0000000009900000-0x0000000009EA4000-memory.dmp

Filesize
5.6MB

Download
memory/3364-48-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/3364-43-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/3528-0-0x0000000000010000-0x0000000000050000-memory.dmp

Filesize
256KB

Download
memory/3528-41-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/3528-12-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/3528-1-0x00007FFE24FC3000-0x00007FFE24FC5000-memory.dmp

Filesize
8KB

Download
memory/4732-45-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-59-0x00007FFE24FC0000-0x00007FFE25A81000-memory.dmp

Filesize
10.8MB

Download
memory/4732-26-0x0000000000D70000-0x0000000000D86000-memory.dmp

Filesize
88KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads