asyncrat | ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powershell_script.exe
Size

1.2MB
MD5

5c4e8e94fdb71b3ff3a21f09ac5139a3
SHA1

423a608f65cddad090bf6d157ab8b24ac033f105
SHA256

ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa
SHA512

23962f4feb869e2fcfaad80386def9b13ed431cc4184e56a9a131169ae589a8bb399dd949640d098d942b6d38bf9b9b9f4cbd91f887b6e1a445d80874e946e33
SSDEEP

24576:QUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7GqFT:QUNxvC6FGYJf6yjNQpNONZnTX5PlGPgY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

anahowaanaa.ddnsfree.com:1111

Mutex

AsyncMutex_6SI8OkSS5

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkeyU64.exe	AutoHotkeyU64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkeyU64.exe	AutoHotkeyU64.exe

Executes dropped EXE 1 IoCs

pid	Process
1116	AutoHotkeyU64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 3552	1116	AutoHotkeyU64.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3536	WINWORD.EXE
3536	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe
3552	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	AppLaunch.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4792	powershell_script.exe
4792	powershell_script.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4792	powershell_script.exe
4792	powershell_script.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3552	AppLaunch.exe
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE
3536	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1116	4792	powershell_script.exe	87
PID 4792 wrote to memory of 1116	4792	powershell_script.exe	87
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88
PID 1116 wrote to memory of 3552	1116	AutoHotkeyU64.exe	88

C:\Users\Admin\AppData\Local\Temp\powershell_script.exe
"C:\Users\Admin\AppData\Local\Temp\powershell_script.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\Documents\AutoHotkeyU64.exe
  C:\Users\Admin\Documents\AutoHotkeyU64.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3552

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "C:\Users\Admin\Desktop\DenyReceive.docx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE83B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
379B

MD5
39d9ced584186e7ba5457cc6775c8704

SHA1
bc500bd84d48e5b04300e40c2de4c74e4f816f50

SHA256
58dd57b17a54dc026bb6d5f7d75a117ef6521a161a1ad1d5c0a4f83f18292282

SHA512
41a5dd8b8238978352cad199f9d61c74777d154dc0b09da7e8e173fa285882a74ced00e75edd0d693420b4242b1322f0a5b405a5920601990ca62f9bec2bdf60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
25e31d9109ed923a78bd2f8fb621f740

SHA1
7ae3cdf6ef530cfa7cb8d40a84271c7dacb6476a

SHA256
0e9a807995f79063d3d2a61c9d7644d0cc5ff450bec34c02310a3b084b179802

SHA512
b1f667aff84300c49e2832bc77e55312370d2b813929d2e7f8570c0e9ee375fac9b53981bdad5f824d0a8f0ed9f2d158aead6bcda4ea6d4e1ff10301a1bc41b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
97051da67a610670c0a006a6209625ac

SHA1
2fe7df73fabf5ba84113a9c0fc0e3c531364c71c

SHA256
332ee1e16754232e2a63b8160579fb70f5e514fc77283aeb8497402a68e66f7d

SHA512
0b11a1caff2386a4d844d350fb41d2acbc1e9c32891211ddda38ebd0acc3d1f0833b4b2627c091ae596a236f7c0d456ff416e0222022a744083e114a119d6c2f

Download Submit
C:\Users\Admin\Documents\AutoHotkeyU64.ahk

Filesize
6KB

MD5
50b2fd640a95e3caf440bc3d8249c846

SHA1
46c7bd930438868a415b836b6aff4ca27cdf66f7

SHA256
d01e36c121b947001a82255fa8c767084daa0cee5f10f7816036aa87e2f4da9e

SHA512
a38b6b5bd38199bb08359750edc98c7d78f02f235ca530837ee2e5b6b6349bd96b132512e6db7f85da895f9ee4db3a791a97c59e4f543e9558dda02fa8797fa6

Download Submit
C:\Users\Admin\Documents\AutoHotkeyU64.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit
C:\Users\Admin\Documents\str.txt

Filesize
206KB

MD5
5faebcef5aa3a89fd67a311f470bd7ae

SHA1
6b406724e0addfd21d39c5b7b004bc5548c1f4d0

SHA256
3f63892d771615d05ab2b884369f8dea2e0a36a2704ab2009762ed1f33892aff

SHA512
d54dfb9a54e5ac92468397a94e393022802be65312d317d660fcb70c00ea91b23fc1167a9bca0b5c83dcb3a18fc9b1677bf82bb00de888a8631fec103b19e337

Download Submit
C:\Users\Admin\Documents\test.zip

Filesize
659KB

MD5
ecfff2ef9131457dced515713825041d

SHA1
3709b6fddcdd2c30ad2b79d617264f8f94c52b96

SHA256
c2205bea1e3cc1adba1b40c00f810b6927bbe3d2c373973f8a62c39acb4320c7

SHA512
c24cf73b42663bb6aacc5b1d3f8b5853be659eed264fc6b1e05d9d999995a0c70b100b4c4b147b56f17195ac5d9cd219b2119234d33887d9e98807824d417e6d

Download Submit
memory/3536-73-0x00007FFA99530000-0x00007FFA99540000-memory.dmp

Filesize
64KB

Download
memory/3536-77-0x00007FFA97330000-0x00007FFA97340000-memory.dmp

Filesize
64KB

Download
memory/3536-76-0x00007FFA97330000-0x00007FFA97340000-memory.dmp

Filesize
64KB

Download
memory/3536-71-0x00007FFA99530000-0x00007FFA99540000-memory.dmp

Filesize
64KB

Download
memory/3536-72-0x00007FFA99530000-0x00007FFA99540000-memory.dmp

Filesize
64KB

Download
memory/3536-74-0x00007FFA99530000-0x00007FFA99540000-memory.dmp

Filesize
64KB

Download
memory/3536-75-0x00007FFA99530000-0x00007FFA99540000-memory.dmp

Filesize
64KB

Download
memory/3552-61-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3552-70-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3552-69-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/3552-68-0x0000000006820000-0x0000000006886000-memory.dmp

Filesize
408KB

Download
memory/3552-67-0x0000000006780000-0x000000000681C000-memory.dmp

Filesize
624KB

Download
memory/3552-64-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/3552-63-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/3552-62-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/3552-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3552-59-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download