asyncrat | 84dd345151b49e484014bb0345c60a5fc6919249ee641ee8ae697688103f2581

Analysis

max time kernel
46s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18-07-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

685d2926745fbdfd13f779de45057f20N.exe
Size

503KB
MD5

685d2926745fbdfd13f779de45057f20
SHA1

6b4a1da2f466f300b2ea612848e74211724f1133
SHA256

84dd345151b49e484014bb0345c60a5fc6919249ee641ee8ae697688103f2581
SHA512

61f397924c64417c6ef15c8977de9f96d2f461fa4179569dd47d36127dbb4b2f791860ca91b3b01e10c46631784ee614dcae40f23d837a5310d62806afcedfbf
SSDEEP

12288:9lv312Z3bncmwdGe5hgD0glgTX98kcAWGfuP2Uz4:9J312ZYmwdGeE0glgJVWYuPhz4

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

91.92.255.37:6666

Attributes

delay
1
install
true
install_file
anarchy.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2804	powershell.exe
3028	powershell.exe
2544	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2932	anarchy.exe
1800	anarchy.exe
2016	anarchy.exe
1820	anarchy.exe
828	anarchy.exe
608	anarchy.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2788	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2364	schtasks.exe
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2708	685d2926745fbdfd13f779de45057f20N.exe
2964	powershell.exe
2804	powershell.exe
2872	685d2926745fbdfd13f779de45057f20N.exe
2872	685d2926745fbdfd13f779de45057f20N.exe
2872	685d2926745fbdfd13f779de45057f20N.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
3028	powershell.exe
2544	powershell.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe
2932	anarchy.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	685d2926745fbdfd13f779de45057f20N.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2872	685d2926745fbdfd13f779de45057f20N.exe
Token: SeDebugPrivilege	2872	685d2926745fbdfd13f779de45057f20N.exe
Token: SeDebugPrivilege	2932	anarchy.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2964	2708	685d2926745fbdfd13f779de45057f20N.exe	31
PID 2708 wrote to memory of 2964	2708	685d2926745fbdfd13f779de45057f20N.exe	31
PID 2708 wrote to memory of 2964	2708	685d2926745fbdfd13f779de45057f20N.exe	31
PID 2708 wrote to memory of 2964	2708	685d2926745fbdfd13f779de45057f20N.exe	31
PID 2708 wrote to memory of 2804	2708	685d2926745fbdfd13f779de45057f20N.exe	33
PID 2708 wrote to memory of 2804	2708	685d2926745fbdfd13f779de45057f20N.exe	33
PID 2708 wrote to memory of 2804	2708	685d2926745fbdfd13f779de45057f20N.exe	33
PID 2708 wrote to memory of 2804	2708	685d2926745fbdfd13f779de45057f20N.exe	33
PID 2708 wrote to memory of 2848	2708	685d2926745fbdfd13f779de45057f20N.exe	35
PID 2708 wrote to memory of 2848	2708	685d2926745fbdfd13f779de45057f20N.exe	35
PID 2708 wrote to memory of 2848	2708	685d2926745fbdfd13f779de45057f20N.exe	35
PID 2708 wrote to memory of 2848	2708	685d2926745fbdfd13f779de45057f20N.exe	35
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2708 wrote to memory of 2872	2708	685d2926745fbdfd13f779de45057f20N.exe	37
PID 2872 wrote to memory of 348	2872	685d2926745fbdfd13f779de45057f20N.exe	38
PID 2872 wrote to memory of 348	2872	685d2926745fbdfd13f779de45057f20N.exe	38
PID 2872 wrote to memory of 348	2872	685d2926745fbdfd13f779de45057f20N.exe	38
PID 2872 wrote to memory of 348	2872	685d2926745fbdfd13f779de45057f20N.exe	38
PID 2872 wrote to memory of 1972	2872	685d2926745fbdfd13f779de45057f20N.exe	40
PID 2872 wrote to memory of 1972	2872	685d2926745fbdfd13f779de45057f20N.exe	40
PID 2872 wrote to memory of 1972	2872	685d2926745fbdfd13f779de45057f20N.exe	40
PID 2872 wrote to memory of 1972	2872	685d2926745fbdfd13f779de45057f20N.exe	40
PID 348 wrote to memory of 2364	348	cmd.exe	42
PID 348 wrote to memory of 2364	348	cmd.exe	42
PID 348 wrote to memory of 2364	348	cmd.exe	42
PID 348 wrote to memory of 2364	348	cmd.exe	42
PID 1972 wrote to memory of 2788	1972	cmd.exe	43
PID 1972 wrote to memory of 2788	1972	cmd.exe	43
PID 1972 wrote to memory of 2788	1972	cmd.exe	43
PID 1972 wrote to memory of 2788	1972	cmd.exe	43
PID 1972 wrote to memory of 2932	1972	cmd.exe	44
PID 1972 wrote to memory of 2932	1972	cmd.exe	44
PID 1972 wrote to memory of 2932	1972	cmd.exe	44
PID 1972 wrote to memory of 2932	1972	cmd.exe	44
PID 2932 wrote to memory of 3028	2932	anarchy.exe	45
PID 2932 wrote to memory of 3028	2932	anarchy.exe	45
PID 2932 wrote to memory of 3028	2932	anarchy.exe	45
PID 2932 wrote to memory of 3028	2932	anarchy.exe	45
PID 2932 wrote to memory of 2544	2932	anarchy.exe	47
PID 2932 wrote to memory of 2544	2932	anarchy.exe	47
PID 2932 wrote to memory of 2544	2932	anarchy.exe	47
PID 2932 wrote to memory of 2544	2932	anarchy.exe	47
PID 2932 wrote to memory of 1952	2932	anarchy.exe	48
PID 2932 wrote to memory of 1952	2932	anarchy.exe	48
PID 2932 wrote to memory of 1952	2932	anarchy.exe	48
PID 2932 wrote to memory of 1952	2932	anarchy.exe	48
PID 2932 wrote to memory of 2016	2932	anarchy.exe	51
PID 2932 wrote to memory of 2016	2932	anarchy.exe	51
PID 2932 wrote to memory of 2016	2932	anarchy.exe	51
PID 2932 wrote to memory of 2016	2932	anarchy.exe	51
PID 2932 wrote to memory of 1800	2932	anarchy.exe	52
PID 2932 wrote to memory of 1800	2932	anarchy.exe	52
PID 2932 wrote to memory of 1800	2932	anarchy.exe	52
PID 2932 wrote to memory of 1800	2932	anarchy.exe	52
PID 2932 wrote to memory of 1820	2932	anarchy.exe	53
PID 2932 wrote to memory of 1820	2932	anarchy.exe	53
PID 2932 wrote to memory of 1820	2932	anarchy.exe	53

C:\Users\Admin\AppData\Local\Temp\685d2926745fbdfd13f779de45057f20N.exe
"C:\Users\Admin\AppData\Local\Temp\685d2926745fbdfd13f779de45057f20N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\685d2926745fbdfd13f779de45057f20N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FLQabofktp.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FLQabofktp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A33.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\685d2926745fbdfd13f779de45057f20N.exe
  "C:\Users\Admin\AppData\Local\Temp\685d2926745fbdfd13f779de45057f20N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "anarchy" /tr '"C:\Users\Admin\AppData\Roaming\anarchy.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "anarchy" /tr '"C:\Users\Admin\AppData\Roaming\anarchy.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2788
  - - C:\Users\Admin\AppData\Roaming\anarchy.exe
      "C:\Users\Admin\AppData\Roaming\anarchy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FLQabofktp.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FLQabofktp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D87.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\anarchy.exe
        
        "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Executes dropped EXE
        
        PID:2016
    - - C:\Users\Admin\AppData\Roaming\anarchy.exe
        
        "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Executes dropped EXE
        
        PID:1800
    - - C:\Users\Admin\AppData\Roaming\anarchy.exe
        
        "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Executes dropped EXE
        
        PID:1820
    - - C:\Users\Admin\AppData\Roaming\anarchy.exe
        
        "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Executes dropped EXE
        
        PID:828
    - - C:\Users\Admin\AppData\Roaming\anarchy.exe
        
        "C:\Users\Admin\AppData\Roaming\anarchy.exe"
        5⤵
        Executes dropped EXE
        
        PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A33.tmp

Filesize
1KB

MD5
c91fe24a87f9d01764a1eb38c3424f40

SHA1
20a7553696a2812acf0a67645284f61cad9e8bb3

SHA256
f5956cc60b7ec364e532948adc8810c1fe8e23d52a5e4953d946822b782e344c

SHA512
3487b5e5224fef665731868c0f75c79c41f16531a9d5fb8faab2a92848f2f2a692e33443c3fe6075826bbccd2d54936e1280aafb9869dfcd0bddc87091e12ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp.bat

Filesize
151B

MD5
a81b0ed8ddb5ce585f5047c678b1a53c

SHA1
80bf83f2b6a6e328177d702ff9afbebe774871f1

SHA256
8d4a429902ae95e2733e32c97362ee4d3b275cfeb316c0971dd8d0d6664e230e

SHA512
4dd42ae2afce66ce4438b63fc0eae0003dacfb3e0e51ce21e20caae75f836de4c5f156383ca40e5dfd8f801196719e2004945fc399fcad3acb88b93ef685beba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2UN1T1888O8VMQQ9OT1P.temp

Filesize
7KB

MD5
0f0a14f1ced192432a8586ceb864afdc

SHA1
cccfb1abb95b57d3216b44c3c375f8388003b4a6

SHA256
73228d1154f6357678004134ed7800d8f801cac5b3a60741d1c6cbf279eb16b3

SHA512
4fdbe7c43aa4fbbfd293008fd5377d3a1cbb1a472597ab80dc572778612efff4b26c141b34e67f4327c2a88afca004f858987e4370394122585615c6ce1a591e

Download Submit
\Users\Admin\AppData\Roaming\anarchy.exe

Filesize
503KB

MD5
685d2926745fbdfd13f779de45057f20

SHA1
6b4a1da2f466f300b2ea612848e74211724f1133

SHA256
84dd345151b49e484014bb0345c60a5fc6919249ee641ee8ae697688103f2581

SHA512
61f397924c64417c6ef15c8977de9f96d2f461fa4179569dd47d36127dbb4b2f791860ca91b3b01e10c46631784ee614dcae40f23d837a5310d62806afcedfbf

Download Submit
memory/2708-30-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-1-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2708-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-3-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/2708-4-0x0000000000600000-0x0000000000614000-memory.dmp

Filesize
80KB

Download
memory/2708-5-0x00000000050F0000-0x0000000005148000-memory.dmp

Filesize
352KB

Download
memory/2708-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/2872-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2872-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-43-0x0000000000390000-0x0000000000414000-memory.dmp

Filesize
528KB

Download
memory/2932-44-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download