asyncrat | 792ac08ad6bdd2f31444390d4f06be0f261ef493a3e83847e016b1292173878a

General

Target

AsyncClient.exe
Size

45KB
MD5

4fa92eda691f571d5c8ca313ea5ced3e
SHA1

5e75ba444f13c933e19a764581d92f26496edb08
SHA256

792ac08ad6bdd2f31444390d4f06be0f261ef493a3e83847e016b1292173878a
SHA512

279b86f470b26f40830939d110af9826884b92e5ae68b3a36db82265e8d73d59b35b55c249aeddc0afd72af8afcf7cfd29634daeb4a22cf486f23ba40d14ef58
SSDEEP

768:bukaVT3ongoWU2Gjimo2qrgKjPGaG6PIyzjbFgX3i5BOY4eEA28mIBDZZ4:bukaVT3Q+25KTkDy3bCXS6H8rdZ4

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

purIcKAdLoRB

Attributes

delay
3
install
true
install_file
SVHOST.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000012119-14.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2132	SVHOST.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	AsyncClient.exe
2248	AsyncClient.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	AsyncClient.exe
Token: SeDebugPrivilege	2132	SVHOST.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2524	2248	AsyncClient.exe	28
PID 2248 wrote to memory of 2524	2248	AsyncClient.exe	28
PID 2248 wrote to memory of 2524	2248	AsyncClient.exe	28
PID 2248 wrote to memory of 2524	2248	AsyncClient.exe	28
PID 2248 wrote to memory of 2888	2248	AsyncClient.exe	30
PID 2248 wrote to memory of 2888	2248	AsyncClient.exe	30
PID 2248 wrote to memory of 2888	2248	AsyncClient.exe	30
PID 2248 wrote to memory of 2888	2248	AsyncClient.exe	30
PID 2888 wrote to memory of 2356	2888	cmd.exe	32
PID 2888 wrote to memory of 2356	2888	cmd.exe	32
PID 2888 wrote to memory of 2356	2888	cmd.exe	32
PID 2888 wrote to memory of 2356	2888	cmd.exe	32
PID 2524 wrote to memory of 2992	2524	cmd.exe	33
PID 2524 wrote to memory of 2992	2524	cmd.exe	33
PID 2524 wrote to memory of 2992	2524	cmd.exe	33
PID 2524 wrote to memory of 2992	2524	cmd.exe	33
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36
PID 2888 wrote to memory of 2132	2888	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SVHOST" /tr '"C:\Users\Admin\AppData\Local\Temp\SVHOST.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "SVHOST" /tr '"C:\Users\Admin\AppData\Local\Temp\SVHOST.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC8AC.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\SVHOST.exe
    "C:\Users\Admin\AppData\Local\Temp\SVHOST.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SVHOST.exe

Filesize
45KB

MD5
4fa92eda691f571d5c8ca313ea5ced3e

SHA1
5e75ba444f13c933e19a764581d92f26496edb08

SHA256
792ac08ad6bdd2f31444390d4f06be0f261ef493a3e83847e016b1292173878a

SHA512
279b86f470b26f40830939d110af9826884b92e5ae68b3a36db82265e8d73d59b35b55c249aeddc0afd72af8afcf7cfd29634daeb4a22cf486f23ba40d14ef58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8AC.tmp.bat

Filesize
153B

MD5
e85557b038914d00e43a1332cbb37d14

SHA1
96f38e2a24cd23a8b54e898f4a28ade98b339ba6

SHA256
50631e6d7a79718247ec845c4759a261e86a8cdf054f029130d6272b75e1b750

SHA512
ef58e8d00071bd470c82d565e4deab8112abf9c71b468a59e5486dbc496b709636f3c30471a04f02fb01ddd97ef4292e3e67a708866234d4c11cc481e72b02e9

Download Submit
memory/2132-16-0x00000000010C0000-0x00000000010D2000-memory.dmp

Filesize
72KB

Download
memory/2248-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2248-2-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-11-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads