asyncrat | c10ef30494e8b4a6bac479c553d030df2bb3e74b6398b47659266c3d92b3f589

Analysis

max time kernel
1799s
max time network
1146s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Desktop.zip
Size

39.3MB
MD5

92a3df7725837521067053e2fc31a93b
SHA1

354de58e5b50c68c9779243c5fa1970cdb9673db
SHA256

c10ef30494e8b4a6bac479c553d030df2bb3e74b6398b47659266c3d92b3f589
SHA512

4b862fb85d3c146e8ae070b6f7fd0064ae75085b79b0a34650c3a8070ca5f2c7a71f5f178855d4f786ddaabd245959dc17375f2d1730638b60a4a4b141be5e17
SSDEEP

786432:gik3QlwDcmOxyALwZzESxzhNnGUVhZMrrn6MZrpV72ZaEJOCP:pkAWDcmMJm4gn9VhZMPZrpV7mV

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4744	Client.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5600310000000000e8587bbe10004465736b746f7000400009000400efbee8587abee8587bbe2e0000009b340200000007000000000000000000000000000000fb1111014400650073006b0074006f007000000016000000	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	BoratRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000e8587abe11004465736b746f7000680009000400efbee458d483e8587abe2e00000087e101000000010000000000000000003e00000000005eae0e014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "6"	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	BoratRat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	BoratRat.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	BoratRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 5000310000000000e8587bbe1000426f726174003c0009000400efbee8587abee8587bbe2e00000088350200000007000000000000000000000000000000fb11110142006f00720061007400000014000000	BoratRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	BoratRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	BoratRat.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2612	BoratRat.exe
4744	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	BoratRat.exe
Token: SeDebugPrivilege	4744	Client.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2612	BoratRat.exe
2612	BoratRat.exe
2612	BoratRat.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe
4744	Client.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2612	BoratRat.exe
2612	BoratRat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	BoratRat.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Desktop.zip
1⤵
PID:3632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Users\Admin\Desktop\Desktop\Borat\BoratRat.exe
"C:\Users\Admin\Desktop\Desktop\Borat\BoratRat.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1624

C:\Users\Admin\Desktop\Desktop\Borat\Client.exe
"C:\Users\Admin\Desktop\Desktop\Borat\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_xhlsfge5qi1fypum31lfxxe4rqb5lenc\1.0.7.0\user.config

Filesize
309B

MD5
0c6e4f57ebaba0cc4acfc8bb65c589f8

SHA1
8c021c2371b87f2570d226b419c64c3102b8d434

SHA256
a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

SHA512
c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

Download Submit
C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_xhlsfge5qi1fypum31lfxxe4rqb5lenc\1.0.7.0\user.config

Filesize
580B

MD5
acb6df8bd0fe9236ea87ea6e3c28173f

SHA1
8b1d88bd749b58905c6db258e7224a67d1179938

SHA256
ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b

SHA512
a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

Download Submit
C:\Users\Admin\Desktop\Desktop\Borat\Client.exe

Filesize
56KB

MD5
20d5b5b0dc82afaf8b2925b7332c857a

SHA1
370eb919730e29797e6857bd8d3a79ac6dc9c808

SHA256
94ccf77ffe04d09722be1fca43ef74ac5081d951a00c6b35eeabd74b94c74eb5

SHA512
5a987a68c11ba09e5ae6d8b9d299da156895d527d0444842a65d5f93f847f2661fde91f93592f6338d43e242be4779e24e8463ff817eab8fc829bcd1b2ebccb3

Download Submit
memory/2612-8-0x00007FFE1A863000-0x00007FFE1A865000-memory.dmp

Filesize
8KB

Download
memory/2612-0-0x00007FFE1A863000-0x00007FFE1A865000-memory.dmp

Filesize
8KB

Download
memory/2612-9-0x00007FFE1A860000-0x00007FFE1B321000-memory.dmp

Filesize
10.8MB

Download
memory/2612-10-0x00007FFE1A860000-0x00007FFE1B321000-memory.dmp

Filesize
10.8MB

Download
memory/2612-3-0x00007FFE1A860000-0x00007FFE1B321000-memory.dmp

Filesize
10.8MB

Download
memory/2612-2-0x00007FFE1A860000-0x00007FFE1B321000-memory.dmp

Filesize
10.8MB

Download
memory/2612-1-0x000001E9279C0000-0x000001E928DCA000-memory.dmp

Filesize
20.0MB

Download
memory/4744-31-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/4744-34-0x000000001CE60000-0x000000001CED6000-memory.dmp

Filesize
472KB

Download
memory/4744-35-0x0000000002210000-0x0000000002232000-memory.dmp

Filesize
136KB

Download
memory/4744-36-0x000000001ACE0000-0x000000001ACFE000-memory.dmp

Filesize
120KB

Download
memory/4744-37-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/4744-38-0x00000000022D0000-0x00000000022DE000-memory.dmp

Filesize
56KB

Download
memory/4744-39-0x000000001AD30000-0x000000001AD3E000-memory.dmp

Filesize
56KB

Download