Malware Analysis Report

2024-08-06 13:07

Sample ID 240616-1s387atfjk
Target AsyncClient.exe
SHA256 d7c2f3e3d806f37f3b511e8a0ade1b000b30761bf3f96adc92235e134387b2ce
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7c2f3e3d806f37f3b511e8a0ade1b000b30761bf3f96adc92235e134387b2ce

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Asyncrat family

AsyncRat

Async RAT payload

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:55

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:55

Reported

2024-06-16 21:58

Platform

win7-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2812 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2812 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2812 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2812 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe
PID 2812 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe
PID 2812 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe
PID 2812 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vortext" /tr '"C:\Users\Admin\AppData\Roaming\vortext.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp78E7.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "vortext" /tr '"C:\Users\Admin\AppData\Roaming\vortext.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\vortext.exe

"C:\Users\Admin\AppData\Roaming\vortext.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp

Files

memory/920-0-0x000000007425E000-0x000000007425F000-memory.dmp

memory/920-1-0x0000000000840000-0x0000000000852000-memory.dmp

memory/920-2-0x0000000074250000-0x000000007493E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp78E7.tmp.bat

MD5 4dd39fa5017850e6905f00db83e95594
SHA1 8013b0cfef1d6dc7589b2bdd0ca33c004fd04e8f
SHA256 147e864c7797f9cc632a06e00dd7e23a9845a4797882699ba69a3a1f0fea1e15
SHA512 51f2ca240be0a078926854481062311f8d4444b6044c1c47021d2e1b1e8ee2eb534f1bef5f1884f8eab15fa16a2f30fb8684fa4cf43dd278779a819fb3a0f9c7

memory/920-12-0x0000000074250000-0x000000007493E000-memory.dmp

\Users\Admin\AppData\Roaming\vortext.exe

MD5 f5a2b23f785fb2eee6724b41b812b206
SHA1 4d9142e9a7280e4df3ddf309c253531b0aa66b2f
SHA256 d7c2f3e3d806f37f3b511e8a0ade1b000b30761bf3f96adc92235e134387b2ce
SHA512 39c5b0ebf80b77b5b65a224e9e069cb1407d362149ee9478c83f3fb0d412bc462804e2f63b0a7579844dee9abb47a714b5b550d554fe9ef4d26f76b75f84c0e4

memory/2520-16-0x0000000000A00000-0x0000000000A12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 21:55

Reported

2024-06-16 21:57

Platform

win10v2004-20240226-en

Max time kernel

69s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vortext.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1996 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1996 wrote to memory of 4484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2848 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe
PID 1996 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\vortext.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vortext" /tr '"C:\Users\Admin\AppData\Roaming\vortext.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E6E.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "vortext" /tr '"C:\Users\Admin\AppData\Roaming\vortext.exe"'

C:\Users\Admin\AppData\Roaming\vortext.exe

"C:\Users\Admin\AppData\Roaming\vortext.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3372-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

memory/3372-1-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/3372-2-0x00000000753B0000-0x0000000075B60000-memory.dmp

memory/3372-3-0x0000000004F30000-0x0000000004F96000-memory.dmp

memory/3372-4-0x00000000053C0000-0x000000000545C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2E6E.tmp.bat

MD5 1bd6754498a909d5356ff8b3048e0663
SHA1 6941f79cf6821521e5d2e9cbb7cc47b95e78bc3d
SHA256 a685681764ce79a6bb28445f74bb7c750d7d22c47724b51b190248cdafb620dc
SHA512 5ac0d5cbbbeb58a70432fe5e6ac475608dc498f68f5bc15ef5adb7284c3112460d24c9bb30077bd876a05a05acfaef5c5f75ea3d7118c5bd68cb8151da084d06

memory/3372-10-0x00000000753B0000-0x0000000075B60000-memory.dmp

C:\Users\Admin\AppData\Roaming\vortext.exe

MD5 f5a2b23f785fb2eee6724b41b812b206
SHA1 4d9142e9a7280e4df3ddf309c253531b0aa66b2f
SHA256 d7c2f3e3d806f37f3b511e8a0ade1b000b30761bf3f96adc92235e134387b2ce
SHA512 39c5b0ebf80b77b5b65a224e9e069cb1407d362149ee9478c83f3fb0d412bc462804e2f63b0a7579844dee9abb47a714b5b550d554fe9ef4d26f76b75f84c0e4

memory/3484-14-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3484-15-0x0000000075310000-0x0000000075AC0000-memory.dmp