asyncrat | 651ae3e16cafdf6057e1ce6508136b975833a7bc5efec2280eee454c85595868

Analysis

max time kernel
81s
max time network
77s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT-modified_Edition_2024-main/AsyncRAT.exe
Size

4.9MB
MD5

d5b006ed22c1c641003eb6b601870e3d
SHA1

fc033c5e9f9a80b6236bb1ec7c34c5f6b77bfff4
SHA256

31e790fabe30ecd87f47d12b5512eea5287a58666f323af0c903f62343a51df2
SHA512

6245f86dc16128813cf7669e396f0b88f38d6f47de3f76c5be552b432bb4608c189fc8bb8d6818d6b4785c2394812dd64d8a5f298da4faa3fa25d33d334e8df2
SSDEEP

98304:3Wp7fnwdPuW7ciw3/VnnX4t/hDIQLbl171NLaEZZfbrX+ps5fIOfatdzL8:3WpDOmW7KPVnI1h17aGZn+ps5fvStdX

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

Default

microsoftssl.ddns.net:6606

microsoftssl.ddns.net:7707

microsoftssl.ddns.net:8808

microsoftssl.ddns.net:222

microsoftssl.ddns.net:5005

microsoftssl.ddns.net:1001

microsoftssl.ddns.net:1002

microsoftssl.ddns.net:1003

microsoftssl.ddns.net:1004

microsoftssl.ddns.net:1005

microsoftssl.ddns.net:2001

microsoftssl.ddns.net:2002

microsoftssl.ddns.net:2003

microsoftssl.ddns.net:2004

microsoftssl.ddns.net:2005

microsoftssl.ddns.net:8080

code0xxx.duckdns.org:6606

code0xxx.duckdns.org:7707

code0xxx.duckdns.org:8808

code0xxx.duckdns.org:222

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000019cb1-17.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2324	AsyncRAT.exe
2804	svchost.exe
1648	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2580	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AsyncRAT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2720	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2324	AsyncRAT.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
1648	svchost.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
1648	svchost.exe
1648	svchost.exe
1648	svchost.exe
1648	svchost.exe
1648	svchost.exe
1648	svchost.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	svchost.exe
Token: SeDebugPrivilege	2668	taskmgr.exe
Token: SeDebugPrivilege	1648	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2324	AsyncRAT.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2324	AsyncRAT.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe
2668	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2324	1916	AsyncRAT.exe	31
PID 1916 wrote to memory of 2324	1916	AsyncRAT.exe	31
PID 1916 wrote to memory of 2324	1916	AsyncRAT.exe	31
PID 1916 wrote to memory of 2804	1916	AsyncRAT.exe	33
PID 1916 wrote to memory of 2804	1916	AsyncRAT.exe	33
PID 1916 wrote to memory of 2804	1916	AsyncRAT.exe	33
PID 1916 wrote to memory of 2804	1916	AsyncRAT.exe	33
PID 2804 wrote to memory of 2840	2804	svchost.exe	34
PID 2804 wrote to memory of 2840	2804	svchost.exe	34
PID 2804 wrote to memory of 2840	2804	svchost.exe	34
PID 2804 wrote to memory of 2840	2804	svchost.exe	34
PID 2804 wrote to memory of 2580	2804	svchost.exe	36
PID 2804 wrote to memory of 2580	2804	svchost.exe	36
PID 2804 wrote to memory of 2580	2804	svchost.exe	36
PID 2804 wrote to memory of 2580	2804	svchost.exe	36
PID 2840 wrote to memory of 2252	2840	cmd.exe	38
PID 2840 wrote to memory of 2252	2840	cmd.exe	38
PID 2840 wrote to memory of 2252	2840	cmd.exe	38
PID 2840 wrote to memory of 2252	2840	cmd.exe	38
PID 2580 wrote to memory of 2720	2580	cmd.exe	39
PID 2580 wrote to memory of 2720	2580	cmd.exe	39
PID 2580 wrote to memory of 2720	2580	cmd.exe	39
PID 2580 wrote to memory of 2720	2580	cmd.exe	39
PID 2580 wrote to memory of 1648	2580	cmd.exe	41
PID 2580 wrote to memory of 1648	2580	cmd.exe	41
PID 2580 wrote to memory of 1648	2580	cmd.exe	41
PID 2580 wrote to memory of 1648	2580	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\AsyncRAT-modified_Edition_2024-main\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT-modified_Edition_2024-main\AsyncRAT.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AsyncRAT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AsyncRAT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp12C6.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AsyncRAT.exe

Filesize
7.1MB

MD5
d974876918c358db7b356403a21a674e

SHA1
c0056644d00aeb9f3e2267d803fe7a8b87ebfe65

SHA256
c51a0017762a31bda284c235eb470b46810c177ee785624bef75cff9bbc3f062

SHA512
449660d5bc3478c3a69594421b4adf404354841762f2a677c9f018d5c76dbc5bd23cbbaa9d31371531ac829f999d362ce7773812085b783805e71932b38d2a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fixer.bat

Filesize
141B

MD5
52ab2690a33a51804764be81820504aa

SHA1
36af53e8b27ea737c255402156c77c5f9be17aa0

SHA256
5255fa89ba49c5f1f2c81d66d42e3b16305296945683954eab1492ed11b90b4c

SHA512
95579203bd7e3f2104ad2f886b162f9938d6e371ba351b0b9c5fb5d3368d674f22f4c2ccc54aece5a9ab5f044ca9deeed63a4ad30ffd42787c54807c8396f21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
66KB

MD5
72931b9662ee2f0bed8baef7f82b3252

SHA1
e0a3702d37e5162c96c2dfc685c41fb6ba982ecc

SHA256
433edee85a88d331ceff674c22a0997516e57a036c6faa9a50ef8abe5194fc48

SHA512
12c16b7af339f62ef2d8ccc2a8867c0aba7c6ee85de03324c2ccb43e01454acea46d13dd94afea1edaae78f2d56602cc7616b9f77b325e5be2aebdfe61fd95c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12C6.tmp.bat

Filesize
151B

MD5
9075e85092c6a93e19b99de11fe46097

SHA1
82b2acd6da79532531a88e084e5229358bb216db

SHA256
52333019a34d782b80d8f2e8afce7534d558edf99f3e71d1c01d19c8047b9ad1

SHA512
9b6f4f431873c693db086e8e0d6d048bca28d4cbaa82a4026fa02f2660b89f5061d2b880200d4615d0e00a948ba58e94087ffe4fcf3f234a3a13cbdcd35e9d84

Download Submit
memory/1648-35-0x0000000001130000-0x0000000001146000-memory.dmp

Filesize
88KB

Download
memory/2324-11-0x000000001B990000-0x000000001BBE2000-memory.dmp

Filesize
2.3MB

Download
memory/2324-13-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-14-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-12-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-10-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-8-0x0000000000CF0000-0x000000000140C000-memory.dmp

Filesize
7.1MB

Download
memory/2324-7-0x000007FEF60F3000-0x000007FEF60F4000-memory.dmp

Filesize
4KB

Download
memory/2668-30-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2668-31-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2668-36-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2668-39-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2668-40-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2804-19-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download