asyncrat | 03d9d3b992a37163f54419db5cff6e3b65366806eed75d97386c88ddf5a4026c

General

Target

DHLTRACKING.exe
Size

1.4MB
MD5

1bf9ed5030bc34a0f0eaf72c26d521c8
SHA1

dd298f9d3437ea12fd3d89727ed0df05838477c2
SHA256

9d847f1168ee9ba615a9022c4f6665afc81f8f96366848c86c06964ba606c73f
SHA512

03ff5d9a28dc2128a795ed0e4f1d440c40b9209f7a0c6858d863700985cb63e0494feaab8eb23a05b657f0ee67c4560a341b3a9b2493800a1f47b91059956f0e
SSDEEP

24576:SAHnh+eWsN3skA4RV1Hom2KXSmdammEs9qU/Lt4odd4elyHeZfhlPV+gJ+sRIR/5:Vh+ZkldoPKi2ammEsr/Lt4odq2yEHsgG

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

46.183.223.29:6606

46.183.223.29:7707

46.183.223.29:8808

Mutex

gqbslgbrfnuvpqsxnzw

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHLTRACKING.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	DHLTRACKING.exe

Drops startup file 1 IoCs

Processes:

DHLTRACKING.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CloudStorageWizard.url	DHLTRACKING.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHLTRACKING.exe

description pid process target process

PID 4000 set thread context of 2112 4000 DHLTRACKING.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1388 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

2112 MSBuild.exe
2112 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DHLTRACKING.exe

pid process

4000 DHLTRACKING.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2112 MSBuild.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

DHLTRACKING.exe

pid process

4000 DHLTRACKING.exe
4000 DHLTRACKING.exe
4000 DHLTRACKING.exe
4000 DHLTRACKING.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

DHLTRACKING.exe

pid process

4000 DHLTRACKING.exe
4000 DHLTRACKING.exe
4000 DHLTRACKING.exe
4000 DHLTRACKING.exe

description	pid	process	target process
PID 4000 set thread context of 2112	4000	DHLTRACKING.exe	MSBuild.exe

pid	process
1388	timeout.exe

pid	process
2112	MSBuild.exe
2112	MSBuild.exe

pid	process
4000	DHLTRACKING.exe

description	pid	process
Token: SeDebugPrivilege	2112	MSBuild.exe

pid	process
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe

pid	process
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe
4000	DHLTRACKING.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DHLTRACKING.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 2112	4000	DHLTRACKING.exe	MSBuild.exe
PID 4000 wrote to memory of 2112	4000	DHLTRACKING.exe	MSBuild.exe
PID 4000 wrote to memory of 2112	4000	DHLTRACKING.exe	MSBuild.exe
PID 4000 wrote to memory of 2112	4000	DHLTRACKING.exe	MSBuild.exe
PID 4000 wrote to memory of 2280	4000	DHLTRACKING.exe	cmd.exe
PID 4000 wrote to memory of 2280	4000	DHLTRACKING.exe	cmd.exe
PID 4000 wrote to memory of 2280	4000	DHLTRACKING.exe	cmd.exe
PID 2280 wrote to memory of 1388	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 1388	2280	cmd.exe	timeout.exe
PID 2280 wrote to memory of 1388	2280	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\DHLTRACKING.exe
"C:\Users\Admin\AppData\Local\Temp\DHLTRACKING.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\DHLTRACKING.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\timeout.exe
TimeOut 1
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-6-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2112-7-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/2112-8-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2112-9-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2112-10-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/4000-3-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download
memory/4000-4-0x0000000000F80000-0x0000000000F98000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads