Malware Analysis Report

2024-08-06 13:10

Sample ID 240614-t42q6sscpq
Target AsyncClient.exe
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 16:37

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 16:37

Reported

2024-06-14 16:40

Platform

win7-20240508-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1324 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1324 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1324 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1324 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2248-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/2248-1-0x0000000000050000-0x0000000000062000-memory.dmp

memory/2248-2-0x0000000074E80000-0x000000007556E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp.bat

MD5 c2763eafc1cdf36d342e7ab809449db2
SHA1 33e6389fa089d1c3885440b2df8e5f946f21adb0
SHA256 3a49ccffa7dd8d6f9ff33e7ab254b344698d27d332b26013d56aaf1e04335fc0
SHA512 1906c989bf46cae2e58a50576a0fc26cb15252139936b54b1ea45b1359caf672ac1cb9b0b69f96407e969ea97109bb88f8a356e04677d6baad9c3b1535668a34

memory/2248-12-0x0000000074E80000-0x000000007556E000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 0cd7314d619f1b8a92c579224f73e9ae
SHA1 56f4e51d6d6fcd8ca418c957dd5a2436e1718761
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
SHA512 53d47d3b25d12f245742af999e9f442e5711740371b8ad995573410ad45c6916cbad298f54dc740c24632425bb9fdde84a73e12c34ed9236f8e6b82d0e310444

memory/2236-16-0x0000000000C80000-0x0000000000C92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 16:37

Reported

2024-06-14 16:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3448 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3448 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 436 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 436 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 436 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 436 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 436 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 436 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp57B5.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:9198 tcp
N/A 127.0.0.1:9198 tcp

Files

memory/3048-0-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3048-1-0x0000000000CF0000-0x0000000000D02000-memory.dmp

memory/3048-2-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/3048-3-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/3048-4-0x0000000005B40000-0x0000000005BDC000-memory.dmp

memory/3048-9-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp57B5.tmp.bat

MD5 07d38c9016a53ea5577c04ea92796bca
SHA1 b7dde864e8e99c6e6f69f4e38242479b5be13193
SHA256 04104e4031fff560f529ab7e59e9dabb892d43ec0e725c4cfa0c2c1907390367
SHA512 9a918b135f75b12303d147136fd83fbe68e8da6b7b6e516de37ad88b5e00e2b165271639c21615e7f0c3f39dbde6e3b0fe0aa67a07cac7922e448a2743a0caa9

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 0cd7314d619f1b8a92c579224f73e9ae
SHA1 56f4e51d6d6fcd8ca418c957dd5a2436e1718761
SHA256 fb9193c127e0ac2e3599920b4e46827d381d8ff976691863a6da3b862723583e
SHA512 53d47d3b25d12f245742af999e9f442e5711740371b8ad995573410ad45c6916cbad298f54dc740c24632425bb9fdde84a73e12c34ed9236f8e6b82d0e310444

memory/2872-14-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

memory/2872-15-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp