asyncrat | ebbb1bcaa8c10a142bc149726fac6e4d235075dfd4acb33c83d419eba5b8f030

Resubmissions

02-08-2024 15:17

240802-sn8zwayhnm 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
02-08-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testoutput.exe
Size

330KB
MD5

04896d586dfa7f3fabaa68ce99f54c03
SHA1

c2b1f452639879f593ff79837d6eb659f98ec329
SHA256

ebbb1bcaa8c10a142bc149726fac6e4d235075dfd4acb33c83d419eba5b8f030
SHA512

53eb676b95a94911546ff3a54195cd84fb0e618d161d7a5c0394df55e876cc8a04c39c403b9eb49ebfe89d666c670f750fd49918cfa621ea2458943487801de4
SSDEEP

3072:EKG/7z3B2pKDYGq7KIBBwRjH6Ee8jS9ujgrhfJkApfEX/UvpvwmBB3YXYSHXce:EVHB2FWIkeEBj9jClJk0fsUtJSHXc

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

and-statements.gl.at.ply.gg:43442

Attributes

delay
1
install
true
install_file
test124.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

form-fly.gl.at.ply.gg:41810

Attributes

Install_directory
%Public%
install_file
discord.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ab5f-10.dat	family_xworm
behavioral1/memory/4160-14-0x0000000000810000-0x0000000000854000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000001aa82-6.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4724	powershell.exe
3200	powershell.exe
4620	powershell.exe
2364	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
3196	Infected.exe
4160	XClient.exe
768	test124.exe
1904	discord.exe
1276	discord.exe
3228	discord.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Public\\discord.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4588	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1508	schtasks.exe
3732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
3196	Infected.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe
768	test124.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	XClient.exe
Token: SeDebugPrivilege	3196	Infected.exe
Token: SeDebugPrivilege	3196	Infected.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe
Token: 35	4724	powershell.exe
Token: 36	4724	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeIncreaseQuotaPrivilege	4620	powershell.exe
Token: SeSecurityPrivilege	4620	powershell.exe
Token: SeTakeOwnershipPrivilege	4620	powershell.exe
Token: SeLoadDriverPrivilege	4620	powershell.exe
Token: SeSystemProfilePrivilege	4620	powershell.exe
Token: SeSystemtimePrivilege	4620	powershell.exe
Token: SeProfSingleProcessPrivilege	4620	powershell.exe
Token: SeIncBasePriorityPrivilege	4620	powershell.exe
Token: SeCreatePagefilePrivilege	4620	powershell.exe
Token: SeBackupPrivilege	4620	powershell.exe
Token: SeRestorePrivilege	4620	powershell.exe
Token: SeShutdownPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeSystemEnvironmentPrivilege	4620	powershell.exe
Token: SeRemoteShutdownPrivilege	4620	powershell.exe
Token: SeUndockPrivilege	4620	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4160	XClient.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3196	4980	testoutput.exe	71
PID 4980 wrote to memory of 3196	4980	testoutput.exe	71
PID 4980 wrote to memory of 4160	4980	testoutput.exe	72
PID 4980 wrote to memory of 4160	4980	testoutput.exe	72
PID 3196 wrote to memory of 4624	3196	Infected.exe	74
PID 3196 wrote to memory of 4624	3196	Infected.exe	74
PID 3196 wrote to memory of 1276	3196	Infected.exe	76
PID 3196 wrote to memory of 1276	3196	Infected.exe	76
PID 4624 wrote to memory of 3732	4624	cmd.exe	78
PID 4624 wrote to memory of 3732	4624	cmd.exe	78
PID 1276 wrote to memory of 4588	1276	cmd.exe	79
PID 1276 wrote to memory of 4588	1276	cmd.exe	79
PID 4160 wrote to memory of 4724	4160	XClient.exe	80
PID 4160 wrote to memory of 4724	4160	XClient.exe	80
PID 1276 wrote to memory of 768	1276	cmd.exe	83
PID 1276 wrote to memory of 768	1276	cmd.exe	83
PID 4160 wrote to memory of 3200	4160	XClient.exe	84
PID 4160 wrote to memory of 3200	4160	XClient.exe	84
PID 4160 wrote to memory of 4620	4160	XClient.exe	86
PID 4160 wrote to memory of 4620	4160	XClient.exe	86
PID 4160 wrote to memory of 2364	4160	XClient.exe	88
PID 4160 wrote to memory of 2364	4160	XClient.exe	88
PID 4160 wrote to memory of 1508	4160	XClient.exe	90
PID 4160 wrote to memory of 1508	4160	XClient.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\testoutput.exe
"C:\Users\Admin\AppData\Local\Temp\testoutput.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Roaming\Infected.exe
  "C:\Users\Admin\AppData\Roaming\Infected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test124" /tr '"C:\Users\Admin\AppData\Roaming\test124.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "test124" /tr '"C:\Users\Admin\AppData\Roaming\test124.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE119.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4588
  - - C:\Users\Admin\AppData\Roaming\test124.exe
      "C:\Users\Admin\AppData\Roaming\test124.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:768
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\discord.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Public\discord.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1508

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Users\Public\discord.exe
C:\Users\Public\discord.exe
1⤵
- Executes dropped EXE
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53b597c66b2e16c19c26196f2bb30e38

SHA1
7f95d8c80420cd18240563c98f10e44c784b2373

SHA256
8f793f93054056e9340472ea839e0b112a15f2d26e737314aa6f82b78e081157

SHA512
ba1c12675c764c80bdd2fb568648aee202dfe589fc50cf723d5c93541e1dc0794f250c3c433f6f3491968d3dae6abb180e45d6854ab1d43d774b4ab1b70ba9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bb1bfbc4bc1bcd31239f9b3d35b93f2

SHA1
2351e9f8c5fdb73d7e7cc1a8453043fcf4e2fcb8

SHA256
0258704c72d891e7942b8879a0347dc432b468bb7f12c6307e2a4634654e0eba

SHA512
50915400e734c39a9af142117479ddb032a5855e718236fc36d39fa718c826db6b3f8eee6412731e7164efeca9fa5ca88df3c2ae29653a4ba21804dbfe85a3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36714f5f9ca060122d89e8e7ff102339

SHA1
7e83181dff892c48016d16da90acb7bf98684d25

SHA256
3f6ea6e3b26ca9a2e2b8a315838db6dc35154a7cf111c38d2710d6dbe428a5fe

SHA512
9e46f09831a399104a402783a236dc0a618342ee489a2459a92309e3ac31e5a45a9178ddb2500c8a52fcdd4ca31c8800bb5993b8ef3402b7bb94dfa9f56e2a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4dzz2o4.2py.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE119.tmp.bat

Filesize
151B

MD5
ed2bc0616c8d718ce7365249aa59bc9c

SHA1
99e4882406018082285bcf2dcda39df6e080828a

SHA256
723e978dfb930314d20b74f7c3d9faf08ce97c9fb9dfa29a04d256403ad484e3

SHA512
617a88de594c40b18f9638a3051c0783b04891d5e81f24a8205dfb5683e74f2fbd3f73922316d64614a8526526420dd38e2f0ff3b9ff847e2e84f3482a63d296

Download Submit
C:\Users\Admin\AppData\Roaming\Infected.exe

Filesize
63KB

MD5
4ab63aeb8e93aa7784281b8692d25ff3

SHA1
877e3e2f4729438ffdf7bfae3c7c261111e9dc6a

SHA256
1b4ca2ea6683fa110a3409227361b8c29e00aa656ff197291b06105b36ec2fee

SHA512
3623a467a97627b9d43660e2cfc9ed0334e1544a4bc68f9f1cb9cdfe8f365728fbaf9a5eec85e257c8d767aa4ac058b7a0e2eb0e1177514cd8a53d67be008885

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
251KB

MD5
29880fdfd8b10f74d36f06ec4c8f1a6b

SHA1
ec270024271689267dc7e9403edfd86c40a9680b

SHA256
37592a9608faacaecffa81f02c20d90e7bfff12fdeaa2f25ef8dfbd6b9ea94b7

SHA512
293f2e11ed6afd0cbf5bbe8e0b7b8a496cfbf17f9fcc79ce0501f3b96bd9e983f87e4d1de00678c30b336f13b7a10db677a803b0fd95fdb41abe2662f85c0675

Download Submit
memory/3196-15-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/3196-13-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/3196-22-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-16-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-14-0x0000000000810000-0x0000000000854000-memory.dmp

Filesize
272KB

Download
memory/4160-21-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-210-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-212-0x00007FFF49BA0000-0x00007FFF4A58C000-memory.dmp

Filesize
9.9MB

Download
memory/4724-28-0x000001D7D41D0000-0x000001D7D41F2000-memory.dmp

Filesize
136KB

Download
memory/4724-31-0x000001D7EC990000-0x000001D7ECA06000-memory.dmp

Filesize
472KB

Download
memory/4980-0-0x00007FFF49BA3000-0x00007FFF49BA4000-memory.dmp

Filesize
4KB

Download
memory/4980-1-0x0000000000060000-0x00000000000B8000-memory.dmp

Filesize
352KB

Download