asyncrat | 472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c

Analysis

max time kernel
122s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
Size

663KB
MD5

7b05be5398ce2cbc424d40b82b8bb4fe
SHA1

6c158dc6c7324e5b76bb9d89916261c778c23f63
SHA256

472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
SHA512

ddb856adf6ddf8d8f696b48a1b5d27584be742bc9f47e4bf07b0dca101be9afa598a087d7bc8e5dc9c0d515d0e7333093ef4c597bd8d3197a2e340caf9da8257
SSDEEP

12288:fU3929BC4rqhpqBHIA01a29EprIHAJp3UadAAHkR:fU89BNuhaoEprIHAJpkoAr

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

5.252.165.55:1986

Mutex

AsyncMutex_5SI8OkPnk

Attributes

delay
3
install
true
install_file
Notes.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
1280	powershell.exe
1940	powershell.exe
2744	powershell.exe
2744	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1164	Notes.exe
2156	Notes.exe

Loads dropped DLL 1 IoCs

pid	Process
276	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 1164 set thread context of 2156	1164	Notes.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2504	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2684	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2864	powershell.exe
2744	powershell.exe
2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
1940	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2156	Notes.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2744	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	31
PID 2584 wrote to memory of 2744	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	31
PID 2584 wrote to memory of 2744	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	31
PID 2584 wrote to memory of 2744	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	31
PID 2584 wrote to memory of 2864	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	33
PID 2584 wrote to memory of 2864	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	33
PID 2584 wrote to memory of 2864	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	33
PID 2584 wrote to memory of 2864	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	33
PID 2584 wrote to memory of 2740	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	35
PID 2584 wrote to memory of 2740	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	35
PID 2584 wrote to memory of 2740	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	35
PID 2584 wrote to memory of 2740	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	35
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2584 wrote to memory of 2688	2584	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	37
PID 2688 wrote to memory of 340	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	38
PID 2688 wrote to memory of 340	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	38
PID 2688 wrote to memory of 340	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	38
PID 2688 wrote to memory of 340	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	38
PID 2688 wrote to memory of 276	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	40
PID 2688 wrote to memory of 276	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	40
PID 2688 wrote to memory of 276	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	40
PID 2688 wrote to memory of 276	2688	2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe	40
PID 340 wrote to memory of 2684	340	cmd.exe	42
PID 340 wrote to memory of 2684	340	cmd.exe	42
PID 340 wrote to memory of 2684	340	cmd.exe	42
PID 340 wrote to memory of 2684	340	cmd.exe	42
PID 276 wrote to memory of 2504	276	cmd.exe	43
PID 276 wrote to memory of 2504	276	cmd.exe	43
PID 276 wrote to memory of 2504	276	cmd.exe	43
PID 276 wrote to memory of 2504	276	cmd.exe	43
PID 276 wrote to memory of 1164	276	cmd.exe	44
PID 276 wrote to memory of 1164	276	cmd.exe	44
PID 276 wrote to memory of 1164	276	cmd.exe	44
PID 276 wrote to memory of 1164	276	cmd.exe	44
PID 1164 wrote to memory of 1280	1164	Notes.exe	45
PID 1164 wrote to memory of 1280	1164	Notes.exe	45
PID 1164 wrote to memory of 1280	1164	Notes.exe	45
PID 1164 wrote to memory of 1280	1164	Notes.exe	45
PID 1164 wrote to memory of 1940	1164	Notes.exe	47
PID 1164 wrote to memory of 1940	1164	Notes.exe	47
PID 1164 wrote to memory of 1940	1164	Notes.exe	47
PID 1164 wrote to memory of 1940	1164	Notes.exe	47
PID 1164 wrote to memory of 884	1164	Notes.exe	48
PID 1164 wrote to memory of 884	1164	Notes.exe	48
PID 1164 wrote to memory of 884	1164	Notes.exe	48
PID 1164 wrote to memory of 884	1164	Notes.exe	48
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51
PID 1164 wrote to memory of 2156	1164	Notes.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZjHuIvPfp.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZjHuIvPfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFCB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-08-02_7b05be5398ce2cbc424d40b82b8bb4fe_hiddentear.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Notes" /tr '"C:\Users\Admin\AppData\Roaming\Notes.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Notes" /tr '"C:\Users\Admin\AppData\Roaming\Notes.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF65.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2504
  - - C:\Users\Admin\AppData\Roaming\Notes.exe
      "C:\Users\Admin\AppData\Roaming\Notes.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Notes.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZjHuIvPfp.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZjHuIvPfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4347.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:884
    - - C:\Users\Admin\AppData\Roaming\Notes.exe
        
        "C:\Users\Admin\AppData\Roaming\Notes.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6B24.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFCB.tmp

Filesize
1KB

MD5
d1cca9e7937e166c7518437b2782cea8

SHA1
e5c6edb1371ce4a155816a5dd1eaf31774dcec1e

SHA256
560eebdba0863684169ee5066845265d68710d2a328b7a94692f4e721a926aeb

SHA512
3449f03fca271206e5cb04d04d753014e0c803e1e029699cf36ee6f2e6977c92fb3fa6fca14080c1c5797f1f6494790cb84af14abd03440341b51d288b9dcbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF65.tmp.bat

Filesize
149B

MD5
00f926a13846bf1dcad6ebcd0e72aebb

SHA1
36002fce36e0af29c4682d9bcdefedbbf8a35c5a

SHA256
4a59f4f492c75f2b23ee4c23f1bce09a7e9d93068399797a7dd6a19240158169

SHA512
c9dfde218b0f3632c5bd56f454bb0d904895fb366f79432b1286721ff345ff38049c3e20ca6dd6a0809bdd7504e37d0755d71d302036b7b7ae0eca7126c96f8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3ce69514db56b8ef2a88d912ac68859e

SHA1
beeb99aa03a87e4ca74a1b6c0dc4c671fd7d9be1

SHA256
87fcf4e463cf79e6f43aa99706f56f7d6aea5b99a5ef8526c49d15fa6d5c7520

SHA512
955695a64f19de4975f1de87ffa73c95e029130129a114d3094e52846edffa2fb7688ab574a399076dab7526fce246bf149c131374d761b77217eaa91c91d878

Download Submit
\Users\Admin\AppData\Roaming\Notes.exe

Filesize
663KB

MD5
7b05be5398ce2cbc424d40b82b8bb4fe

SHA1
6c158dc6c7324e5b76bb9d89916261c778c23f63

SHA256
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c

SHA512
ddb856adf6ddf8d8f696b48a1b5d27584be742bc9f47e4bf07b0dca101be9afa598a087d7bc8e5dc9c0d515d0e7333093ef4c597bd8d3197a2e340caf9da8257

Download Submit
memory/1164-43-0x0000000000E90000-0x0000000000F38000-memory.dmp

Filesize
672KB

Download
memory/2156-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-30-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-4-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/2584-3-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2584-1-0x00000000009C0000-0x0000000000A68000-memory.dmp

Filesize
672KB

Download
memory/2584-5-0x0000000002070000-0x00000000020C4000-memory.dmp

Filesize
336KB

Download
memory/2584-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/2584-2-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2688-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download