asyncrat | 7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8

General

Target

b4036abc4db97f5aaae8672f3f32d5d0N.exe
Size

47KB
MD5

b4036abc4db97f5aaae8672f3f32d5d0
SHA1

bdbfb245db7f59322b0a499b47e52a2a56170c41
SHA256

7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8
SHA512

2fdfe4d723d659886932eeb5b7e07ee0e0266be32ebea778543c2c83f7d034278eee3a6e1b31b84c0639f88b49dbc8bc8177113a18bebf5c72f870951782a70f
SSDEEP

768:EuEk9THvkHCWU0neImo2q8aIteX0IRi37IPIVUVw0bn5QmPWQpyCEzwSVT8BDZPx:EuEk9THc726oIRaBVUVbbn5QG9cjzwcu

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

196.87.121.175:6606

196.87.121.175:7707

196.87.121.175:8808

196.87.121.175:80

Mutex

0KVP9OnBTs5j

Attributes

delay
3
install
true
install_file
rttr.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023426-13.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	b4036abc4db97f5aaae8672f3f32d5d0N.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	rttr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2088	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe
Token: SeDebugPrivilege	5068	rttr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4752	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	91
PID 1036 wrote to memory of 4752	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	91
PID 1036 wrote to memory of 4752	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	91
PID 1036 wrote to memory of 5064	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	93
PID 1036 wrote to memory of 5064	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	93
PID 1036 wrote to memory of 5064	1036	b4036abc4db97f5aaae8672f3f32d5d0N.exe	93
PID 4752 wrote to memory of 2396	4752	cmd.exe	95
PID 4752 wrote to memory of 2396	4752	cmd.exe	95
PID 4752 wrote to memory of 2396	4752	cmd.exe	95
PID 5064 wrote to memory of 2088	5064	cmd.exe	96
PID 5064 wrote to memory of 2088	5064	cmd.exe	96
PID 5064 wrote to memory of 2088	5064	cmd.exe	96
PID 5064 wrote to memory of 5068	5064	cmd.exe	98
PID 5064 wrote to memory of 5068	5064	cmd.exe	98
PID 5064 wrote to memory of 5068	5064	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\b4036abc4db97f5aaae8672f3f32d5d0N.exe
"C:\Users\Admin\AppData\Local\Temp\b4036abc4db97f5aaae8672f3f32d5d0N.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rttr" /tr '"C:\Users\Admin\AppData\Roaming\rttr.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "rttr" /tr '"C:\Users\Admin\AppData\Roaming\rttr.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB083.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2088
- - C:\Users\Admin\AppData\Roaming\rttr.exe
    "C:\Users\Admin\AppData\Roaming\rttr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB083.tmp.bat

Filesize
148B

MD5
30550ded4e25f9edfdd05a6f6d2ca5f4

SHA1
effc741d14c61c28f5a4b32092e6c53148872595

SHA256
ef354f048e4f0567e113528b867135317c4e6dd956603b15bfac9632ac9253b7

SHA512
d64e9e2ac5f278a3ede5c7eb139366c23b37a80b3ae5b8aebcb04585f614cae996d0997570400d05d54339cf14e3f6f1b21d7796a801c81254b9d90d99aada6e

Download Submit
C:\Users\Admin\AppData\Roaming\rttr.exe

Filesize
47KB

MD5
b4036abc4db97f5aaae8672f3f32d5d0

SHA1
bdbfb245db7f59322b0a499b47e52a2a56170c41

SHA256
7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8

SHA512
2fdfe4d723d659886932eeb5b7e07ee0e0266be32ebea778543c2c83f7d034278eee3a6e1b31b84c0639f88b49dbc8bc8177113a18bebf5c72f870951782a70f

Download Submit
memory/1036-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000000F60000-0x0000000000F72000-memory.dmp

Filesize
72KB

Download
memory/1036-2-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/1036-3-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/1036-4-0x0000000005D90000-0x0000000005E2C000-memory.dmp

Filesize
624KB

Download
memory/1036-9-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/5068-14-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/5068-15-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads