asyncrat | 01b7eea92bb27df73a6972f00927ba3a5989771f90052297f4027fc33e804ffd

General

Target

RuntimeBroker.exe
Size

6.8MB
MD5

b2b458a4d32353ea767fd85090da3cad
SHA1

7cafde34ad660df06370e8b8668fe28545d6dbf1
SHA256

01b7eea92bb27df73a6972f00927ba3a5989771f90052297f4027fc33e804ffd
SHA512

a1fb74f67bf763d1e81de1d17702ee3d967ed00288f0f68abf842346bb8dcb4e2c64b9353c6c612e3c9878348619506fbf217670d27cbe63526a44041264fe11
SSDEEP

196608:qbce1Juq1YCnUAP6fVJEsspI2jzuTRzzcc2YwForrrrNrrrrrprrrrXrrrrrHrrE:qAou0Y7ASfV6qfwt

Score

10^/10

asyncrat mailru rat

Malware Config

Extracted

Family

asyncrat

Version

ITSOBR

Botnet

MailRU

C2

52cf04efee6d.sn.mynetname.net:2024

Mutex

olErDv8aDk6J

Attributes

delay
30
install
true
install_file
Chrome.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2808	Chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2848	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2492	RuntimeBroker.exe
2492	RuntimeBroker.exe
2492	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	RuntimeBroker.exe
Token: SeDebugPrivilege	2808	Chrome.exe
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE
Token: 33	2772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2772	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2420	2492	RuntimeBroker.exe	30
PID 2492 wrote to memory of 2420	2492	RuntimeBroker.exe	30
PID 2492 wrote to memory of 2420	2492	RuntimeBroker.exe	30
PID 2492 wrote to memory of 2420	2492	RuntimeBroker.exe	30
PID 2420 wrote to memory of 2708	2420	cmd.exe	32
PID 2420 wrote to memory of 2708	2420	cmd.exe	32
PID 2420 wrote to memory of 2708	2420	cmd.exe	32
PID 2420 wrote to memory of 2708	2420	cmd.exe	32
PID 2492 wrote to memory of 2868	2492	RuntimeBroker.exe	33
PID 2492 wrote to memory of 2868	2492	RuntimeBroker.exe	33
PID 2492 wrote to memory of 2868	2492	RuntimeBroker.exe	33
PID 2492 wrote to memory of 2868	2492	RuntimeBroker.exe	33
PID 2868 wrote to memory of 2848	2868	cmd.exe	35
PID 2868 wrote to memory of 2848	2868	cmd.exe	35
PID 2868 wrote to memory of 2848	2868	cmd.exe	35
PID 2868 wrote to memory of 2848	2868	cmd.exe	35
PID 2868 wrote to memory of 2808	2868	cmd.exe	36
PID 2868 wrote to memory of 2808	2868	cmd.exe	36
PID 2868 wrote to memory of 2808	2868	cmd.exe	36
PID 2868 wrote to memory of 2808	2868	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7752.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2848
- - C:\Users\Admin\AppData\Roaming\Chrome.exe
    "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2808

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1072

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:352

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x458
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7752.tmp.bat

Filesize
150B

MD5
29ce19c40f548e34eb3ebc8b9f73faa4

SHA1
6421e3400bcfb5c9ffd3673d3eea244f2c70a50c

SHA256
731ad4723238f964440a27085bc0ed3be374916faac5335eb2d50cf67f9d8b08

SHA512
5a81ca6269a42071a1ebc67d7d2f106c6d6e1826704b1c587a09469c6e2ce399c4fb6ee574e3afa47dbf95afb38f7eb7ab02c01b9b5de96aaaa99d701ca8b74f

Download Submit
\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
6.8MB

MD5
b2b458a4d32353ea767fd85090da3cad

SHA1
7cafde34ad660df06370e8b8668fe28545d6dbf1

SHA256
01b7eea92bb27df73a6972f00927ba3a5989771f90052297f4027fc33e804ffd

SHA512
a1fb74f67bf763d1e81de1d17702ee3d967ed00288f0f68abf842346bb8dcb4e2c64b9353c6c612e3c9878348619506fbf217670d27cbe63526a44041264fe11

Download Submit
memory/2492-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x0000000001370000-0x0000000001A3C000-memory.dmp

Filesize
6.8MB

Download
memory/2492-2-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2492-3-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-13-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-17-0x00000000002D0000-0x000000000099C000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads