asyncrat | cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d

General

Target

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
Size

1.3MB
MD5

2f3c519c599dc02d11bf57918b798ee3
SHA1

82ad01ac3e2cdb9d795cf6d7ab2ae3d3a417843a
SHA256

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d
SHA512

c2d6016c9bae5d5bf41583a5f2de54f8e8a0effd6a3af97a6259ab73b23a505e15f0c96df6b82dbba40d3b9562ebb5a5e42961088b123433bede257e6c4e8f06
SSDEEP

24576:AcB8ggg0szL2dMVBQwv4XOylc6foK1thFMyd:fB8gggj04vZyC6wKR

Score

10^/10

asyncrat kaskomuz rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Kaskomuz

C2

80.76.49.154:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
Kaskomuz.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects executables attemping to enumerate video devices using WMI 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-21-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2032-18-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2032-15-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2576-54-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral1/memory/2576-56-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Detects executables containing the string DcRatBy 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-21-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/2032-18-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/2032-15-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/2576-54-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy
behavioral1/memory/2576-56-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DcRatBy

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-21-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
behavioral1/memory/2032-18-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
behavioral1/memory/2032-15-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
behavioral1/memory/2576-54-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
behavioral1/memory/2576-56-0x0000000000400000-0x0000000000422000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-1-0x0000000000AA0000-0x0000000000BCA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
\Users\Admin\AppData\Roaming\Kaskomuz.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2624-39-0x0000000000CE0000-0x0000000000E0A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1444-1-0x0000000000AA0000-0x0000000000BCA000-memory.dmp	net_reactor
\Users\Admin\AppData\Roaming\Kaskomuz.exe	net_reactor
behavioral1/memory/2624-39-0x0000000000CE0000-0x0000000000E0A000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

Processes:

Kaskomuz.exeKaskomuz.exe

pid process

2624 Kaskomuz.exe
2576 Kaskomuz.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2520 cmd.exe

pid	process
2624	Kaskomuz.exe
2576	Kaskomuz.exe

pid	process
2520	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exeKaskomuz.exe

description	pid	process	target process
PID 1444 set thread context of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 2624 set thread context of 2576	2624	Kaskomuz.exe	Kaskomuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2796 timeout.exe

pid	process
2016	schtasks.exe

pid	process
2796	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe

pid	process
2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.execae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exeKaskomuz.exeKaskomuz.exe

description	pid	process
Token: SeDebugPrivilege	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
Token: SeDebugPrivilege	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
Token: SeDebugPrivilege	2624	Kaskomuz.exe
Token: SeDebugPrivilege	2576	Kaskomuz.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.execae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.execmd.execmd.exeKaskomuz.exe

description	pid	process	target process
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 1444 wrote to memory of 2032	1444	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
PID 2032 wrote to memory of 2720	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2720	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2720	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2720	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2520	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2520	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2520	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2032 wrote to memory of 2520	2032	cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe	cmd.exe
PID 2720 wrote to memory of 2016	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 2016	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 2016	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 2016	2720	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 2796	2520	cmd.exe	timeout.exe
PID 2520 wrote to memory of 2796	2520	cmd.exe	timeout.exe
PID 2520 wrote to memory of 2796	2520	cmd.exe	timeout.exe
PID 2520 wrote to memory of 2796	2520	cmd.exe	timeout.exe
PID 2520 wrote to memory of 2624	2520	cmd.exe	Kaskomuz.exe
PID 2520 wrote to memory of 2624	2520	cmd.exe	Kaskomuz.exe
PID 2520 wrote to memory of 2624	2520	cmd.exe	Kaskomuz.exe
PID 2520 wrote to memory of 2624	2520	cmd.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe
PID 2624 wrote to memory of 2576	2624	Kaskomuz.exe	Kaskomuz.exe

C:\Users\Admin\AppData\Local\Temp\cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
"C:\Users\Admin\AppData\Local\Temp\cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
C:\Users\Admin\AppData\Local\Temp\cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Kaskomuz" /tr '"C:\Users\Admin\AppData\Roaming\Kaskomuz.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Kaskomuz" /tr '"C:\Users\Admin\AppData\Roaming\Kaskomuz.exe"'
4⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B64.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2796

C:\Users\Admin\AppData\Roaming\Kaskomuz.exe
"C:\Users\Admin\AppData\Roaming\Kaskomuz.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Roaming\Kaskomuz.exe
C:\Users\Admin\AppData\Roaming\Kaskomuz.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2B64.tmp.bat
Filesize
152B

MD5
60af3d9364e757f2b7aea0b88c000cb6

SHA1
136ba0caaf9fb28bfcb5a552ea77730f549c41f3

SHA256
2918e7b6f4ec053808150e34da1a4f89006e8321df22cf795f0b1982be401dd1

SHA512
c32586fe97a06ffbd947e1fe8705d2ebb2bf99b758b68f9ab929d44fdd3eb20ee6da88077f58245bbb659974fd882e6e7a3f7fbd92a7c4e9c5adf2e081f9bd5f

Download Submit
\Users\Admin\AppData\Roaming\Kaskomuz.exe
Filesize
1.3MB

MD5
2f3c519c599dc02d11bf57918b798ee3

SHA1
82ad01ac3e2cdb9d795cf6d7ab2ae3d3a417843a

SHA256
cae5d1df4e948b813a01bb83d087b6438d91a1aeb3f6a0a16a328373edfe851d

SHA512
c2d6016c9bae5d5bf41583a5f2de54f8e8a0effd6a3af97a6259ab73b23a505e15f0c96df6b82dbba40d3b9562ebb5a5e42961088b123433bede257e6c4e8f06

Download Submit
memory/1444-23-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1444-1-0x0000000000AA0000-0x0000000000BCA000-memory.dmp

Filesize
1.2MB

Download
memory/1444-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/1444-3-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1444-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1444-22-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2032-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-25-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2032-35-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2032-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2576-54-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2576-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2624-39-0x0000000000CE0000-0x0000000000E0A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads