asyncrat | d384798424a3f0383bba222d070951f9ff5185358e6ff0f29bb6fa364a13c928

General

Target

DriverX11.exe
Size

45KB
MD5

d0c2b954f9e154b960c16b8c8d6ff8a3
SHA1

fe64f5d84baa760d01fe89a6850d3d6b1858fb8d
SHA256

d384798424a3f0383bba222d070951f9ff5185358e6ff0f29bb6fa364a13c928
SHA512

b0f101795c6032101d99bc3d9be83c01e2778d591949a5ae8b4f8396bd426043cdccd4746e510169c1cdc09d654cf3dfa71d6acee7438a675ba9c78e4204ad42
SSDEEP

768:Xues1TYQZ3VWU1Dmhbvmo2qj3KjGKG6PIyzjbFgX3i+CZSBFuDE1pdBmyviBDZPx:Xues1TYiwhN2yKYDy3bCXS+CZSBFAspk

Score

10^/10

asyncrat driverx11 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DriverX11

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

88.248.18.120:6606

88.248.18.120:7707

88.248.18.120:8808

88.248.18.120:1604

Mutex

DriverX11

Attributes

delay
3
install
true
install_file
DriverX11.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000100000002aa68-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3972	DriverX11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4312	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe
2080	DriverX11.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	DriverX11.exe
Token: SeDebugPrivilege	3972	DriverX11.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4692	2080	DriverX11.exe	82
PID 2080 wrote to memory of 4692	2080	DriverX11.exe	82
PID 2080 wrote to memory of 4692	2080	DriverX11.exe	82
PID 2080 wrote to memory of 4972	2080	DriverX11.exe	84
PID 2080 wrote to memory of 4972	2080	DriverX11.exe	84
PID 2080 wrote to memory of 4972	2080	DriverX11.exe	84
PID 4692 wrote to memory of 4664	4692	cmd.exe	86
PID 4692 wrote to memory of 4664	4692	cmd.exe	86
PID 4692 wrote to memory of 4664	4692	cmd.exe	86
PID 4972 wrote to memory of 4312	4972	cmd.exe	87
PID 4972 wrote to memory of 4312	4972	cmd.exe	87
PID 4972 wrote to memory of 4312	4972	cmd.exe	87
PID 4972 wrote to memory of 3972	4972	cmd.exe	88
PID 4972 wrote to memory of 3972	4972	cmd.exe	88
PID 4972 wrote to memory of 3972	4972	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\DriverX11.exe
"C:\Users\Admin\AppData\Local\Temp\DriverX11.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DriverX11" /tr '"C:\Users\Admin\AppData\Roaming\DriverX11.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "DriverX11" /tr '"C:\Users\Admin\AppData\Roaming\DriverX11.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB45C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4312
- - C:\Users\Admin\AppData\Roaming\DriverX11.exe
    "C:\Users\Admin\AppData\Roaming\DriverX11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DriverX11.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB45C.tmp.bat

Filesize
153B

MD5
0fe53d35a36fea44bb5d4cb7e5c640dc

SHA1
1cc173a43ea8f8aef74151e21c335d97786e48b5

SHA256
cb28fc63e9df7e88823b71251e9c3af6023613e1e7fe7591c5756f231ead6def

SHA512
470250b88847f9b02de5421c4f9a0e1aa2328d00457e7daa701f40fa2987c8e8b7e8cb8b12eb3b2d24ebcc5dee91261f552700d474c71e63699265616b793094

Download Submit
C:\Users\Admin\AppData\Roaming\DriverX11.exe

Filesize
45KB

MD5
d0c2b954f9e154b960c16b8c8d6ff8a3

SHA1
fe64f5d84baa760d01fe89a6850d3d6b1858fb8d

SHA256
d384798424a3f0383bba222d070951f9ff5185358e6ff0f29bb6fa364a13c928

SHA512
b0f101795c6032101d99bc3d9be83c01e2778d591949a5ae8b4f8396bd426043cdccd4746e510169c1cdc09d654cf3dfa71d6acee7438a675ba9c78e4204ad42

Download Submit
memory/2080-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/2080-2-0x0000000074EE0000-0x0000000075691000-memory.dmp

Filesize
7.7MB

Download
memory/2080-3-0x00000000059D0000-0x0000000005A6C000-memory.dmp

Filesize
624KB

Download
memory/2080-9-0x0000000074EE0000-0x0000000075691000-memory.dmp

Filesize
7.7MB

Download
memory/3972-14-0x0000000074EE0000-0x0000000075691000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads