asyncrat | 54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b.exe
Size

4.5MB
MD5

45fefc291d2e7203fb9d7a30ffe2bda3
SHA1

7dcf0ddeb8f6d3040ace5eba01a3d5798960efad
SHA256

54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b
SHA512

cf83540efacaa75743bf908db78f24af4b9bbf0e4738259fbcf6e14e4a26abb43b979f325ef27ff772d6956329c55758608fd6cca0452a65e240817bc0b752c0
SSDEEP

24576:DGlvCTLGrLNoWiTalwpibhjFoq+AnJDXbPjGeRKiBV1RsBwy97e5qX50f:ClvCYLOB7pib0q+ojGeRzBV1WBwy

Score

10^/10

asyncrat lm rat upx

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

omarhassan.mywire.org:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1672-27-0x000001E40D3C0000-0x000001E40D3D6000-memory.dmp	family_asyncrat

Loads dropped DLL 1 IoCs

pid	Process
1672	odbcconf.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c0000000233b0-23.dat	upx
behavioral2/memory/1672-25-0x00007FFDB3500000-0x00007FFDB35FE000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
980	powershell.exe
980	powershell.exe
1672	odbcconf.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	powershell.exe
Token: SeIncreaseQuotaPrivilege	980	powershell.exe
Token: SeSecurityPrivilege	980	powershell.exe
Token: SeTakeOwnershipPrivilege	980	powershell.exe
Token: SeLoadDriverPrivilege	980	powershell.exe
Token: SeSystemProfilePrivilege	980	powershell.exe
Token: SeSystemtimePrivilege	980	powershell.exe
Token: SeProfSingleProcessPrivilege	980	powershell.exe
Token: SeIncBasePriorityPrivilege	980	powershell.exe
Token: SeCreatePagefilePrivilege	980	powershell.exe
Token: SeBackupPrivilege	980	powershell.exe
Token: SeRestorePrivilege	980	powershell.exe
Token: SeShutdownPrivilege	980	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeSystemEnvironmentPrivilege	980	powershell.exe
Token: SeRemoteShutdownPrivilege	980	powershell.exe
Token: SeUndockPrivilege	980	powershell.exe
Token: SeManageVolumePrivilege	980	powershell.exe
Token: 33	980	powershell.exe
Token: 34	980	powershell.exe
Token: 35	980	powershell.exe
Token: 36	980	powershell.exe
Token: SeIncreaseQuotaPrivilege	980	powershell.exe
Token: SeSecurityPrivilege	980	powershell.exe
Token: SeTakeOwnershipPrivilege	980	powershell.exe
Token: SeLoadDriverPrivilege	980	powershell.exe
Token: SeSystemProfilePrivilege	980	powershell.exe
Token: SeSystemtimePrivilege	980	powershell.exe
Token: SeProfSingleProcessPrivilege	980	powershell.exe
Token: SeIncBasePriorityPrivilege	980	powershell.exe
Token: SeCreatePagefilePrivilege	980	powershell.exe
Token: SeBackupPrivilege	980	powershell.exe
Token: SeRestorePrivilege	980	powershell.exe
Token: SeShutdownPrivilege	980	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeSystemEnvironmentPrivilege	980	powershell.exe
Token: SeRemoteShutdownPrivilege	980	powershell.exe
Token: SeUndockPrivilege	980	powershell.exe
Token: SeManageVolumePrivilege	980	powershell.exe
Token: 33	980	powershell.exe
Token: 34	980	powershell.exe
Token: 35	980	powershell.exe
Token: 36	980	powershell.exe
Token: SeIncreaseQuotaPrivilege	980	powershell.exe
Token: SeSecurityPrivilege	980	powershell.exe
Token: SeTakeOwnershipPrivilege	980	powershell.exe
Token: SeLoadDriverPrivilege	980	powershell.exe
Token: SeSystemProfilePrivilege	980	powershell.exe
Token: SeSystemtimePrivilege	980	powershell.exe
Token: SeProfSingleProcessPrivilege	980	powershell.exe
Token: SeIncBasePriorityPrivilege	980	powershell.exe
Token: SeCreatePagefilePrivilege	980	powershell.exe
Token: SeBackupPrivilege	980	powershell.exe
Token: SeRestorePrivilege	980	powershell.exe
Token: SeShutdownPrivilege	980	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeSystemEnvironmentPrivilege	980	powershell.exe
Token: SeRemoteShutdownPrivilege	980	powershell.exe
Token: SeUndockPrivilege	980	powershell.exe
Token: SeManageVolumePrivilege	980	powershell.exe
Token: 33	980	powershell.exe
Token: 34	980	powershell.exe
Token: 35	980	powershell.exe
Token: 36	980	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1672	odbcconf.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 5012	2512	54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b.exe	89
PID 2512 wrote to memory of 5012	2512	54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b.exe	89
PID 5012 wrote to memory of 980	5012	conhost.exe	90
PID 5012 wrote to memory of 980	5012	conhost.exe	90

C:\Users\Admin\AppData\Local\Temp\54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b.exe
"C:\Users\Admin\AppData\Local\Temp\54be8cbccdc608e04565606140211beafd880986bb72e619f654e50017b3937b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\conhost.exe
  "conhost.exe" --headless powershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"odbcconf\" -Argument \" /S /F C:\Users\Admin\AppData/Roaming/Wy7UB.rsp\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'Ws7j9 Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"odbcconf\" -Argument \" /S /F C:\Users\Admin\AppData/Roaming/Wy7UB.rsp\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'Ws7j9 Prefetch' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980

C:\Windows\system32\odbcconf.EXE
C:\Windows\system32\odbcconf.EXE /S /F C:\Users\Admin\AppData/Roaming/Wy7UB.rsp
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqax2oxd.up1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Wy7UB.dat

Filesize
663KB

MD5
658353ba6567b578ed92e65d93738812

SHA1
fd3beeac752894cb4c47d8911bc7eded750a148d

SHA256
56f671d122f538e52016f5dcf929c505c3ac13a2fcef3f7a73024b2564540b14

SHA512
7fd604c8628fa652300b64e2f9dfcf570bea8c0a197d9542610c4fe9aca932d8c8561844da4782aa7f100b5e4589dfd103750c3d28044a6c12f69a7c6809b612

Download Submit
C:\Users\Admin\AppData\Roaming\Wy7UB.rsp

Filesize
47B

MD5
9445b05f09c17dfc628c2bcbcab0d881

SHA1
7b41dd4b0088650d583244e3329cc7bda3b5559a

SHA256
603a93d00ec45e750c4ef383be77f327785ea2465ead01a3ea55f5ca3ad54f6d

SHA512
f748e1b3d8dbaa569eeaa0f024e3de6a2062e31d61108046ffab682f0fb9fbf24a6802f4e991b3bcdb7975cb575ec296fd8ff99bcc806e20598d951350ef1ce0

Download Submit
memory/980-10-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

Filesize
10.8MB

Download
memory/980-12-0x0000015CE1190000-0x0000015CE11B2000-memory.dmp

Filesize
136KB

Download
memory/980-13-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

Filesize
10.8MB

Download
memory/980-14-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

Filesize
10.8MB

Download
memory/980-17-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

Filesize
10.8MB

Download
memory/980-0-0x00007FFDA2DF3000-0x00007FFDA2DF5000-memory.dmp

Filesize
8KB

Download
memory/980-11-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

Filesize
10.8MB

Download
memory/1672-25-0x00007FFDB3500000-0x00007FFDB35FE000-memory.dmp

Filesize
1016KB

Download
memory/1672-26-0x000001E40EB90000-0x000001E40EC90000-memory.dmp

Filesize
1024KB

Download
memory/1672-27-0x000001E40D3C0000-0x000001E40D3D6000-memory.dmp

Filesize
88KB

Download
memory/1672-30-0x000001E40EB90000-0x000001E40EC90000-memory.dmp

Filesize
1024KB

Download
memory/2512-21-0x00007FF6F2B70000-0x00007FF6F2FF9000-memory.dmp

Filesize
4.5MB

Download