asyncrat | fbb41333d4ca06cace9a9d040cc9c2a95a644a03298da9789def5f48e34f5515

Analysis

max time kernel
288s
max time network
294s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-07-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ujuax.exe
Size

4.8MB
MD5

cc0586b98c46e5ed73efb1b0e9181130
SHA1

ff4a38d4acb50e4385727ef5455b77344b9b01c6
SHA256

b32f304e47735f05127ca24f7094514ef8b2b6d4d23c2b34a519ada6dc93b628
SHA512

2a8e5c1f6a449abe949b7e1fab291a1919bb80859648fd2bad50cf46964a3292db7f63663a4aa9f62993f3f85fb1e14fd05dfc68f9632e25f19a59bdf9e22468
SSDEEP

24576:D0cxDzNN+hJELofuY4e9fB03aZTtjck/aCbycRZxE7EiMdwTBHPJArTJnC03Ud1E:4cnk

Score

10^/10

asyncrat scar rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Scar

scar77747.duckdns.org:6606

scar77747.duckdns.org:7707

scar77747.duckdns.org:8808

Mutex

Alx_alx

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2824-4905-0x00000000051E0000-0x00000000051F6000-memory.dmp	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1636	Scar.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3392	ipconfig.exe
4772	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	Ujuax.exe
Token: SeDebugPrivilege	2824	Ujuax.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1636	Scar.exe
Token: SeDebugPrivilege	1636	Scar.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4316	2824	Ujuax.exe	74
PID 2824 wrote to memory of 4316	2824	Ujuax.exe	74
PID 2824 wrote to memory of 4316	2824	Ujuax.exe	74
PID 4316 wrote to memory of 3392	4316	cmd.exe	76
PID 4316 wrote to memory of 3392	4316	cmd.exe	76
PID 4316 wrote to memory of 3392	4316	cmd.exe	76
PID 2824 wrote to memory of 1520	2824	Ujuax.exe	77
PID 2824 wrote to memory of 1520	2824	Ujuax.exe	77
PID 2824 wrote to memory of 1520	2824	Ujuax.exe	77
PID 1636 wrote to memory of 4216	1636	Scar.exe	81
PID 1636 wrote to memory of 4216	1636	Scar.exe	81
PID 1636 wrote to memory of 4216	1636	Scar.exe	81
PID 4216 wrote to memory of 4772	4216	cmd.exe	83
PID 4216 wrote to memory of 4772	4216	cmd.exe	83
PID 4216 wrote to memory of 4772	4216	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\Ujuax.exe
"C:\Users\Admin\AppData\Local\Temp\Ujuax.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVQBqAHUAYQB4AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABVAGoAdQBhAHgALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFMAYwBhAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAFMAYwBhAHIALgBlAHgAZQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520

C:\Users\Admin\AppData\Roaming\Scar.exe
C:\Users\Admin\AppData\Roaming\Scar.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12kqraar.mj4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Scar.exe

Filesize
4.8MB

MD5
cc0586b98c46e5ed73efb1b0e9181130

SHA1
ff4a38d4acb50e4385727ef5455b77344b9b01c6

SHA256
b32f304e47735f05127ca24f7094514ef8b2b6d4d23c2b34a519ada6dc93b628

SHA512
2a8e5c1f6a449abe949b7e1fab291a1919bb80859648fd2bad50cf46964a3292db7f63663a4aa9f62993f3f85fb1e14fd05dfc68f9632e25f19a59bdf9e22468

Download Submit
memory/1520-4937-0x0000000009880000-0x0000000009914000-memory.dmp

Filesize
592KB

Download
memory/1520-4912-0x0000000008450000-0x00000000084C6000-memory.dmp

Filesize
472KB

Download
memory/1520-5130-0x00000000097E0000-0x00000000097FA000-memory.dmp

Filesize
104KB

Download
memory/1520-4900-0x0000000006C90000-0x0000000006CC6000-memory.dmp

Filesize
216KB

Download
memory/1520-4936-0x00000000096A0000-0x0000000009745000-memory.dmp

Filesize
660KB

Download
memory/1520-4931-0x00000000092F0000-0x000000000930E000-memory.dmp

Filesize
120KB

Download
memory/1520-4930-0x000000006EF10000-0x000000006EF5B000-memory.dmp

Filesize
300KB

Download
memory/1520-4929-0x0000000009310000-0x0000000009343000-memory.dmp

Filesize
204KB

Download
memory/1520-5172-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-5135-0x00000000097C0000-0x00000000097C8000-memory.dmp

Filesize
32KB

Download
memory/1520-4911-0x0000000008680000-0x00000000086CB000-memory.dmp

Filesize
300KB

Download
memory/1520-4910-0x0000000008150000-0x000000000816C000-memory.dmp

Filesize
112KB

Download
memory/1520-4909-0x0000000007B30000-0x0000000007E80000-memory.dmp

Filesize
3.3MB

Download
memory/1520-4908-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/1520-4907-0x0000000007320000-0x0000000007386000-memory.dmp

Filesize
408KB

Download
memory/1520-4906-0x0000000007280000-0x00000000072A2000-memory.dmp

Filesize
136KB

Download
memory/1520-4902-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-4903-0x00000000073D0000-0x00000000079F8000-memory.dmp

Filesize
6.2MB

Download
memory/1520-4901-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-44-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-4897-0x0000000005130000-0x0000000005184000-memory.dmp

Filesize
336KB

Download
memory/2824-42-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-35-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-26-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-24-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-22-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-20-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-18-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-16-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-12-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-10-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-28-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-6-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-5-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-68-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-66-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-4891-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-4893-0x0000000005040000-0x000000000508C000-memory.dmp

Filesize
304KB

Download
memory/2824-4894-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-4892-0x0000000004FE0000-0x000000000503E000-memory.dmp

Filesize
376KB

Download
memory/2824-4895-0x000000007314E000-0x000000007314F000-memory.dmp

Filesize
4KB

Download
memory/2824-4896-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-30-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-32-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-36-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-38-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-40-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-4905-0x00000000051E0000-0x00000000051F6000-memory.dmp

Filesize
88KB

Download
memory/2824-0-0x000000007314E000-0x000000007314F000-memory.dmp

Filesize
4KB

Download
memory/2824-46-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-48-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-50-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-54-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-56-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-60-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-62-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-64-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-58-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-52-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-14-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-8-0x00000000061D0000-0x00000000063ED000-memory.dmp

Filesize
2.1MB

Download
memory/2824-4-0x0000000006490000-0x0000000006522000-memory.dmp

Filesize
584KB

Download
memory/2824-3-0x00000000068F0000-0x0000000006DEE000-memory.dmp

Filesize
5.0MB

Download
memory/2824-2-0x00000000061D0000-0x00000000063F4000-memory.dmp

Filesize
2.1MB

Download
memory/2824-5171-0x00000000060A0000-0x000000000613C000-memory.dmp

Filesize
624KB

Download
memory/2824-1-0x0000000000210000-0x00000000006D8000-memory.dmp

Filesize
4.8MB

Download