asyncrat | d857e148af64d7871408a6e36193737550e7daa3275da0e45af23d4e14a13327

General

Target

AsyncClient.exe
Size

45KB
MD5

22accbe478f9994e3c4a59d34544f86d
SHA1

dccd305c3cf6b9b4b383deea613db2bb4eea9916
SHA256

d857e148af64d7871408a6e36193737550e7daa3275da0e45af23d4e14a13327
SHA512

ba34b228bc6d86b8589a99b3e2baf40c5f88ecc2b45d48a5e4e69dc248d06237390e7a490881cbbdee834584059f13518a65811c78088898c1143bdbf3a4e392
SSDEEP

768:muTAlTP3IwK2WUwv2Mmo2qBwKjPGaG6PIyzjbFgX3iwUMp78CRsRHahBDZyx:muTAlTPrg2DKTkDy3bCXSwzmGdyx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:7707

127.0.0.1:8808

Mutex

nhepZyFY8nWk

Attributes

delay
3
install
true
install_file
nigger.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000001aa6c-10.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2532	nigger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
696	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe
3708	AsyncClient.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	AsyncClient.exe
Token: SeDebugPrivilege	2532	nigger.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 4528	3708	AsyncClient.exe	70
PID 3708 wrote to memory of 4528	3708	AsyncClient.exe	70
PID 3708 wrote to memory of 4528	3708	AsyncClient.exe	70
PID 3708 wrote to memory of 3576	3708	AsyncClient.exe	71
PID 3708 wrote to memory of 3576	3708	AsyncClient.exe	71
PID 3708 wrote to memory of 3576	3708	AsyncClient.exe	71
PID 3576 wrote to memory of 696	3576	cmd.exe	74
PID 3576 wrote to memory of 696	3576	cmd.exe	74
PID 3576 wrote to memory of 696	3576	cmd.exe	74
PID 4528 wrote to memory of 4928	4528	cmd.exe	75
PID 4528 wrote to memory of 4928	4528	cmd.exe	75
PID 4528 wrote to memory of 4928	4528	cmd.exe	75
PID 3576 wrote to memory of 2532	3576	cmd.exe	76
PID 3576 wrote to memory of 2532	3576	cmd.exe	76
PID 3576 wrote to memory of 2532	3576	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp356.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:696
- - C:\Users\Admin\AppData\Roaming\nigger.exe
    "C:\Users\Admin\AppData\Roaming\nigger.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp356.tmp.bat

Filesize
149B

MD5
d4406971e41a51a865bfe90aee937932

SHA1
fb82527b4d1ba119d836d137d73627c304edfea5

SHA256
66f3b03a1f4b94d9dac8c8370383d324e2e1d5eda30c55568186df67aef03016

SHA512
e82702105495aab065cab377e618d0d23c097b337811de02cf1d81b0977e52ce7743c266ed85305723b8a7a59fa18c7b8cd064d0fa592c018ba9de5ebfb07813

Download Submit
C:\Users\Admin\AppData\Roaming\nigger.exe

Filesize
45KB

MD5
22accbe478f9994e3c4a59d34544f86d

SHA1
dccd305c3cf6b9b4b383deea613db2bb4eea9916

SHA256
d857e148af64d7871408a6e36193737550e7daa3275da0e45af23d4e14a13327

SHA512
ba34b228bc6d86b8589a99b3e2baf40c5f88ecc2b45d48a5e4e69dc248d06237390e7a490881cbbdee834584059f13518a65811c78088898c1143bdbf3a4e392

Download Submit
memory/3708-0-0x00007FFF455D0000-0x00007FFF457AB000-memory.dmp

Filesize
1.9MB

Download
memory/3708-1-0x0000000000130000-0x0000000000142000-memory.dmp

Filesize
72KB

Download
memory/3708-2-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/3708-7-0x00007FFF455D0000-0x00007FFF457AB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads