asyncrat | 7d093e8382b6648ad18ae9e5a0e6b9daf7a752910a2e9793b5bdbf4b978e3582

General

Target

sds.exe
Size

286KB
MD5

bd95731e3dba8d4a8345285fa3afdde8
SHA1

cf1d9a1c331081bef7b7828f44a229b02df6c11f
SHA256

7d093e8382b6648ad18ae9e5a0e6b9daf7a752910a2e9793b5bdbf4b978e3582
SHA512

a376df158fdae1b1630ce73fd8d6414f5db9a52114de70b98eb261c85a47a3bcf598ad34306a47cbbfa179287d2cdf3f181cf21551bb05edc79300e6031b4cd0
SSDEEP

1536:ph/E2frZSld8GhOXzyWn0TWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWokWWWWWWWWWV:p5E2tcqDyA0Qn7H5rB2rPBc/KD0MHIV

Score

10^/10

asyncrat driverx11 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DriverX11

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

88.248.18.120:6606

88.248.18.120:7707

88.248.18.120:8808

88.248.18.120:1604

Mutex

DriverX11

Attributes

delay
3
install
true
install_file
DriverX11.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000002a9a2-13.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2432	DriverX11.exe
600	DriverX11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4988	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings	sds.exe
Key created	\REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe
2432	DriverX11.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	DriverX11.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4716	OpenWith.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2432	784	sds.exe	78
PID 784 wrote to memory of 2432	784	sds.exe	78
PID 784 wrote to memory of 2432	784	sds.exe	78
PID 2432 wrote to memory of 4652	2432	DriverX11.exe	80
PID 2432 wrote to memory of 4652	2432	DriverX11.exe	80
PID 2432 wrote to memory of 4652	2432	DriverX11.exe	80
PID 2432 wrote to memory of 352	2432	DriverX11.exe	82
PID 2432 wrote to memory of 352	2432	DriverX11.exe	82
PID 2432 wrote to memory of 352	2432	DriverX11.exe	82
PID 352 wrote to memory of 4988	352	cmd.exe	84
PID 352 wrote to memory of 4988	352	cmd.exe	84
PID 352 wrote to memory of 4988	352	cmd.exe	84
PID 4652 wrote to memory of 1292	4652	cmd.exe	85
PID 4652 wrote to memory of 1292	4652	cmd.exe	85
PID 4652 wrote to memory of 1292	4652	cmd.exe	85
PID 352 wrote to memory of 600	352	cmd.exe	86
PID 352 wrote to memory of 600	352	cmd.exe	86
PID 352 wrote to memory of 600	352	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\sds.exe
"C:\Users\Admin\AppData\Local\Temp\sds.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\DriverX11.exe
  "C:\Users\Admin\AppData\Local\Temp\DriverX11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DriverX11" /tr '"C:\Users\Admin\AppData\Roaming\DriverX11.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "DriverX11" /tr '"C:\Users\Admin\AppData\Roaming\DriverX11.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD74.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4988
  - - C:\Users\Admin\AppData\Roaming\DriverX11.exe
      "C:\Users\Admin\AppData\Roaming\DriverX11.exe"
      4⤵
      Executes dropped EXE
      PID:600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DriverX11.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DriverX11.exe

Filesize
45KB

MD5
d0c2b954f9e154b960c16b8c8d6ff8a3

SHA1
fe64f5d84baa760d01fe89a6850d3d6b1858fb8d

SHA256
d384798424a3f0383bba222d070951f9ff5185358e6ff0f29bb6fa364a13c928

SHA512
b0f101795c6032101d99bc3d9be83c01e2778d591949a5ae8b4f8396bd426043cdccd4746e510169c1cdc09d654cf3dfa71d6acee7438a675ba9c78e4204ad42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD74.tmp.bat

Filesize
153B

MD5
8417791908a0ef2f4346a396aee95637

SHA1
f1294a3f6afad3745fe96fffecbeb81320c6681b

SHA256
19e6617c89e4e20d7fd419a1c272b5f793de7157e953393d92c2f4b4602be93a

SHA512
993174a61d287d5b10e3a3456d31bddf8bb72f14d6dfa075e1819a6e14abb2fb5e5e219ed882da370939a3956e61872b01a230f2f6b63912329cb07b12e85d26

Download Submit
memory/784-6-0x0000000005400000-0x0000000005456000-memory.dmp

Filesize
344KB

Download
memory/784-4-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/784-5-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/784-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/784-7-0x0000000074D70000-0x0000000075521000-memory.dmp

Filesize
7.7MB

Download
memory/784-3-0x00000000058C0000-0x0000000005E66000-memory.dmp

Filesize
5.6MB

Download
memory/784-2-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/784-1-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/2432-20-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download
memory/2432-22-0x0000000074D70000-0x0000000075521000-memory.dmp

Filesize
7.7MB

Download
memory/2432-27-0x0000000074D70000-0x0000000075521000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads