asyncrat | 0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Analysis

max time kernel
283s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT/AsyncRAT.exe
Size

6.4MB
MD5

97a429c4b6a2cb95ece0ddb24c3c2152
SHA1

6fcc26793dd474c0c7113b3360ff29240d9a9020
SHA256

06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512

524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
SSDEEP

98304:+bPmDVa3VxobFwUN5xXhAqin1MNuSZTKA0t9FFPEG6xJJ33Je2PsBpCz6Ry:+7aIXUN5htin2bk9fcPHJDE7Cz60

Score

10^/10

asyncrat default evasion rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

V0HPM74cEASN

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	AsyncClient.exe

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000002350c-70.dat	family_asyncrat
behavioral1/files/0x0007000000023513-116.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4992	AsyncClient.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 19002f433a5c000000000000000000000000000000000000000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0 = 5000310000000000e958d076100041646d696e003c0009000400efbee9586570ef58373f2e00000066e10100000001000000000000000000000000000000d4d9b600410064006d0069006e00000014000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0 = 5600310000000000e958657012004170704461746100400009000400efbee9586570ef58373f2e00000071e10100000001000000000000000000000000000000a63560004100700070004400610074006100000016000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\0\0 = 5a00310000000000ef583b3f10004173796e635241540000420009000400efbeef58373fef583d3f2e000000e2340200000008000000000000000000000000000000b75efb004100730079006e006300520041005400000018000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0 = 5000310000000000ef58543f10004c6f63616c003c0009000400efbee9586570ef58543f2e00000084e10100000001000000000000000000000000000000f27519014c006f00630061006c00000014000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\0\0\NodeSlot = "3"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\0 = 4e00310000000000ef58373f100054656d7000003a0009000400efbee9586570ef58373f2e00000085e1010000000100000000000000000000000000000004ab2701540065006d007000000014000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3636	AsyncRAT.exe
3404	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	taskmgr.exe
Token: SeSystemProfilePrivilege	3404	taskmgr.exe
Token: SeCreateGlobalPrivilege	3404	taskmgr.exe
Token: SeDebugPrivilege	4992	AsyncClient.exe
Token: SeDebugPrivilege	3636	AsyncRAT.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3636	AsyncRAT.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe
3636	AsyncRAT.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3860	4992	AsyncClient.exe	100
PID 4992 wrote to memory of 3860	4992	AsyncClient.exe	100
PID 4992 wrote to memory of 3860	4992	AsyncClient.exe	100

C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT\AsyncRAT.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config

Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_bsozgjfh10ettuvlzzecwz2b2kv3ubbv\0.5.8.0\user.config

Filesize
1KB

MD5
fa1735ee067b96995c667f635bee3f2a

SHA1
a54e37741d2ffd369f8f918e432e9a89dfc5d0be

SHA256
4d609d4a705f8cfd4c0a3b959c7b32024c49664a14d7a7cfee8367fb27d073fd

SHA512
e6e16e1e5bc03d73c8123a8b5f2deefcaf0f4111169fd7f5f1036d24c5e68b60472700910fba6080ab5628a402a0ebc8a9f944489562f349272331d2871ddb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncRAT\ServerCertificate.p12

Filesize
4KB

MD5
351d9f2636b56a0522ec967ea5005d78

SHA1
5399c877b689c306877d86f49da5fa003030b9e6

SHA256
8004770a84e762385602e1bd7f20ffc4204b1008612406e988dd65925d385e86

SHA512
b11e3c4a1a36cd85e4158e7b6262e564da97ec812b34e53f3e613b5b511278bd2c8e29236b416eb19e233600ecd43ccf70e6314a3871698f83ffa851acc7602b

Download Submit
C:\Users\Admin\Desktop\AsyncClient.exe

Filesize
45KB

MD5
c25cc15aeccd4b5d2c58e85a7ab13002

SHA1
f402e8e4d362ca296586059b7dd3672917b5c7c2

SHA256
dba6bf3406a55aab1222de327323fa81371fb733902a07ec009589625c8c70ab

SHA512
c26e14728a43298294c7b32735e82424e241be9ffec4ee340e642c665d52a49092bcd39b124f34df3946a99cb890beb320b147b8f4d3503c080f5dbfda755a22

Download Submit
C:\Users\Admin\Desktop\AsyncClient.exe

Filesize
47KB

MD5
8d311822b8149ecba73a7294845d832d

SHA1
e5eb35c7826912611568752edd6b37e729d7f83f

SHA256
487e0ff73811c3d30c7d801a9a2fbc241ee4d47b2644309cba06be35a63f6610

SHA512
6fe9503cf3edf9d249c50cc43f681e31dbc926df10519b88cc86dbbf2581d37784900b477fded24c71c3643fb817e6a713a5dfea7a8d214052a4569914eff4e2

Download Submit
memory/3404-64-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-63-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-65-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-66-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-67-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-68-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-69-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-59-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-58-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3404-57-0x0000024DCB870000-0x0000024DCB871000-memory.dmp

Filesize
4KB

Download
memory/3636-19-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-4-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-26-0x000002DC60490000-0x000002DC60498000-memory.dmp

Filesize
32KB

Download
memory/3636-50-0x000002DC604A0000-0x000002DC604BA000-memory.dmp

Filesize
104KB

Download
memory/3636-25-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-24-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-20-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-0-0x00007FFEF9083000-0x00007FFEF9085000-memory.dmp

Filesize
8KB

Download
memory/3636-18-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-17-0x00007FFEF9083000-0x00007FFEF9085000-memory.dmp

Filesize
8KB

Download
memory/3636-9-0x000002DC62C00000-0x000002DC62E80000-memory.dmp

Filesize
2.5MB

Download
memory/3636-8-0x000002DC5F8A0000-0x000002DC5F8B2000-memory.dmp

Filesize
72KB

Download
memory/3636-7-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-6-0x000002DC5F890000-0x000002DC5F89A000-memory.dmp

Filesize
40KB

Download
memory/3636-5-0x00007FFEF9080000-0x00007FFEF9B41000-memory.dmp

Filesize
10.8MB

Download
memory/3636-29-0x000002DC65E70000-0x000002DC65F96000-memory.dmp

Filesize
1.1MB

Download
memory/3636-3-0x000002DC5F460000-0x000002DC5F6B2000-memory.dmp

Filesize
2.3MB

Download
memory/3636-1-0x000002DC44720000-0x000002DC44D8A000-memory.dmp

Filesize
6.4MB

Download
memory/4992-125-0x0000000007080000-0x000000000709E000-memory.dmp

Filesize
120KB

Download
memory/4992-119-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4992-120-0x0000000005C70000-0x0000000005D0C000-memory.dmp

Filesize
624KB

Download
memory/4992-121-0x0000000006600000-0x0000000006BA4000-memory.dmp

Filesize
5.6MB

Download
memory/4992-123-0x00000000070B0000-0x0000000007126000-memory.dmp

Filesize
472KB

Download
memory/4992-124-0x0000000007330000-0x00000000073CC000-memory.dmp

Filesize
624KB

Download
memory/4992-118-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/4992-126-0x00000000073D0000-0x0000000007410000-memory.dmp

Filesize
256KB

Download
memory/4992-127-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/4992-128-0x0000000001380000-0x00000000013F8000-memory.dmp

Filesize
480KB

Download
memory/4992-129-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4992-130-0x00000000078B0000-0x0000000007942000-memory.dmp

Filesize
584KB

Download
memory/4992-131-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download