asyncrat | d948a6af0e9a1e9981669d300da54d84e526fc55e9654b8de1ba58821e14b96b

General

Target

Optimix_client.exe
Size

45KB
MD5

bc9efb1b76331a392346d4cce9c3b177
SHA1

ecd6d5584ab75f5735a69864ecf74dddde8683a1
SHA256

d948a6af0e9a1e9981669d300da54d84e526fc55e9654b8de1ba58821e14b96b
SHA512

4969259be841c308d791c16d0645e8f72db3f8708975bd9682ae630cca4c8f27b778d48387b5f17f1a1d82f3b8392cfbe95f8d5cd860ad25543f0d520e6b3f19
SSDEEP

768:luAINTHkvSbWUnFKJmo2q7XIrzXIxOPILzjbjXgXAiHFeq1BDZPx:luAINTHgN2Lv83L3bEX9leqbdPx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.0.76:6606

192.168.0.76:7707

192.168.0.76:8808

192.168.0.76:4444

Mutex

YNGv5uoT0xzv

Attributes

delay
3
install
true
install_file
ProtonyteAntiVirusSetup.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

ProtonyteAntiVirusSetup.exe

pid process

3780 ProtonyteAntiVirusSetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1888 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2748 timeout.exe

pid	process
3780	ProtonyteAntiVirusSetup.exe

pid	process
1888	schtasks.exe

pid	process
2748	timeout.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Optimix_client.exe

pid	process
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe
4768	Optimix_client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Optimix_client.exeProtonyteAntiVirusSetup.exe

description pid process

Token: SeDebugPrivilege 4768 Optimix_client.exe
Token: SeDebugPrivilege 3780 ProtonyteAntiVirusSetup.exe

description	pid	process
Token: SeDebugPrivilege	4768	Optimix_client.exe
Token: SeDebugPrivilege	3780	ProtonyteAntiVirusSetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Optimix_client.execmd.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 224	4768	Optimix_client.exe	cmd.exe
PID 4768 wrote to memory of 224	4768	Optimix_client.exe	cmd.exe
PID 4768 wrote to memory of 224	4768	Optimix_client.exe	cmd.exe
PID 4768 wrote to memory of 2196	4768	Optimix_client.exe	cmd.exe
PID 4768 wrote to memory of 2196	4768	Optimix_client.exe	cmd.exe
PID 4768 wrote to memory of 2196	4768	Optimix_client.exe	cmd.exe
PID 2196 wrote to memory of 2748	2196	cmd.exe	timeout.exe
PID 2196 wrote to memory of 2748	2196	cmd.exe	timeout.exe
PID 2196 wrote to memory of 2748	2196	cmd.exe	timeout.exe
PID 224 wrote to memory of 1888	224	cmd.exe	schtasks.exe
PID 224 wrote to memory of 1888	224	cmd.exe	schtasks.exe
PID 224 wrote to memory of 1888	224	cmd.exe	schtasks.exe
PID 2196 wrote to memory of 3780	2196	cmd.exe	ProtonyteAntiVirusSetup.exe
PID 2196 wrote to memory of 3780	2196	cmd.exe	ProtonyteAntiVirusSetup.exe
PID 2196 wrote to memory of 3780	2196	cmd.exe	ProtonyteAntiVirusSetup.exe

C:\Users\Admin\AppData\Local\Temp\Optimix_client.exe
"C:\Users\Admin\AppData\Local\Temp\Optimix_client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ProtonyteAntiVirusSetup" /tr '"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ProtonyteAntiVirusSetup" /tr '"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"'
3⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2748

C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProtonyteAntiVirusSetup.exe
Filesize
45KB

MD5
bc9efb1b76331a392346d4cce9c3b177

SHA1
ecd6d5584ab75f5735a69864ecf74dddde8683a1

SHA256
d948a6af0e9a1e9981669d300da54d84e526fc55e9654b8de1ba58821e14b96b

SHA512
4969259be841c308d791c16d0645e8f72db3f8708975bd9682ae630cca4c8f27b778d48387b5f17f1a1d82f3b8392cfbe95f8d5cd860ad25543f0d520e6b3f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81F1.tmp.bat
Filesize
170B

MD5
5f88a0a6e70f543068b57a07efca411a

SHA1
6db14e04097083679a9922f9e69f0e2eebc61e4d

SHA256
5e0fa3fc3a3ea0e13e58eaf58ff24eb95ab83b517e0b7415acc065fa544c511b

SHA512
2cb7d77e3ad6f82c22413a24032aa609faed05df6b44254999a683bbb52390e8e666702699d2967e9921a52f942634de1a08fd9e6fffca40eefbbea9ab0c8f68

Download Submit
memory/4768-0-0x000000007324E000-0x000000007324F000-memory.dmp

Filesize
4KB

Download
memory/4768-1-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/4768-2-0x0000000073240000-0x000000007392E000-memory.dmp

Filesize
6.9MB

Download
memory/4768-3-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/4768-8-0x0000000073240000-0x000000007392E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads