asyncrat | 54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3H8.exe
Size

4.5MB
MD5

45fefc291d2e7203fb9d7a30ffe2bda3
SHA1

7dcf0ddeb8f6d3040ace5eba01a3d5798960efad
SHA256

54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b
SHA512

cf83540efacaa75743bf908db78f24af4b9bbf0e4738259fbcf6e14e4a26abb43b979f325ef27ff772d6956329c55758608fd6cca0452a65e240817bc0b752c0
SSDEEP

24576:DGlvCTLGrLNoWiTalwpibhjFoq+AnJDXbPjGeRKiBV1RsBwy97e5qX50f:ClvCYLOB7pib0q+ojGeRzBV1WBwy

Score

10^/10

asyncrat lm rat upx

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

omarhassan.mywire.org:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/224-26-0x00000213ED840000-0x00000213ED856000-memory.dmp	family_asyncrat

Loads dropped DLL 1 IoCs

pid	Process
224	odbcconf.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234de-22.dat	upx
behavioral2/memory/224-24-0x00007FFCC4220000-0x00007FFCC431E000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe
224	odbcconf.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
224	odbcconf.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4400	1212	3H8.exe	86
PID 1212 wrote to memory of 4400	1212	3H8.exe	86
PID 4400 wrote to memory of 2884	4400	conhost.exe	87
PID 4400 wrote to memory of 2884	4400	conhost.exe	87

C:\Users\Admin\AppData\Local\Temp\3H8.exe
"C:\Users\Admin\AppData\Local\Temp\3H8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\system32\conhost.exe
  "conhost.exe" --headless powershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"odbcconf\" -Argument \" /S /F C:\Users\Admin\AppData/Roaming/rM1d4.rsp\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'EULa0 Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"odbcconf\" -Argument \" /S /F C:\Users\Admin\AppData/Roaming/rM1d4.rsp\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'EULa0 Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884

C:\Windows\system32\odbcconf.EXE
C:\Windows\system32\odbcconf.EXE /S /F C:\Users\Admin\AppData/Roaming/rM1d4.rsp
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wqybfuxs.05w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\rM1d4.dat

Filesize
663KB

MD5
658353ba6567b578ed92e65d93738812

SHA1
fd3beeac752894cb4c47d8911bc7eded750a148d

SHA256
56f671d122f538e52016f5dcf929c505c3ac13a2fcef3f7a73024b2564540b14

SHA512
7fd604c8628fa652300b64e2f9dfcf570bea8c0a197d9542610c4fe9aca932d8c8561844da4782aa7f100b5e4589dfd103750c3d28044a6c12f69a7c6809b612

Download Submit
C:\Users\Admin\AppData\Roaming\rM1d4.rsp

Filesize
47B

MD5
f757e51f45dc00bebd320ef31a0a8b62

SHA1
939a12ac8902891148f29c43a8483cd915394937

SHA256
30a5f768c253b11eb481ca3f7467121d5201487f9f626d33ae5aa31517e2c156

SHA512
cdf44281dfd38edab52555c026c0469cd54759c17959aa5a601f7eb44365449ac688a17b19fdfc1a53e6d2cc4a0f41faf9b4aeaa8da54fcc633443ddcfed88fd

Download Submit
memory/224-29-0x00000213ED560000-0x00000213ED660000-memory.dmp

Filesize
1024KB

Download
memory/224-26-0x00000213ED840000-0x00000213ED856000-memory.dmp

Filesize
88KB

Download
memory/224-25-0x00000213ED560000-0x00000213ED660000-memory.dmp

Filesize
1024KB

Download
memory/224-24-0x00007FFCC4220000-0x00007FFCC431E000-memory.dmp

Filesize
1016KB

Download
memory/1212-20-0x00007FF615560000-0x00007FF6159E9000-memory.dmp

Filesize
4.5MB

Download
memory/2884-8-0x00000244EEAE0000-0x00000244EEB02000-memory.dmp

Filesize
136KB

Download
memory/2884-16-0x00007FFCB4910000-0x00007FFCB53D1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-13-0x00007FFCB4910000-0x00007FFCB53D1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-0-0x00007FFCB4913000-0x00007FFCB4915000-memory.dmp

Filesize
8KB

Download
memory/2884-2-0x00007FFCB4910000-0x00007FFCB53D1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-1-0x00007FFCB4910000-0x00007FFCB53D1000-memory.dmp

Filesize
10.8MB

Download