asyncrat | a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MailAcessCheckerbyxRisky.exe
Size

10.4MB
MD5

0bfe538046352ebb0d7b5fcd50a287ad
SHA1

e76a0b5d42648df99604079af74931a333703ef3
SHA256

a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9
SHA512

e938f69267ed773f26ec8b7d47d98b127c6f659ef04fde925484a1e755e20b435d61a2d3822274e23db48caaa1574c51ce3cb5c87c8c24109998bb0e0a58bfd2
SSDEEP

196608:+6JnRoCYJnksvvcHbMdYWSm2iLRoyru5Q2ZGe/QDbA0SnTbja57K4q6:FPoVJnpqi+6XySReIqHjaQ4q

Score

10^/10

asyncrat discovery evasion rat themida trojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Mutex

AsyncMutex_7SI8OkPnk

Attributes

delay
3
install
true
install_file
ContainerRuntime.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/Kb8rTgY7

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012266-23.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MailAcessCheckerbyxRisky.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MailAcessCheckerbyxRisky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MailAcessCheckerbyxRisky.exe

Executes dropped EXE 3 IoCs

pid	Process
1672	svchost.exe
2248	MailAcess Checker by xRisky.exe
2864	ContainerRuntime.exe

Loads dropped DLL 9 IoCs

pid	Process
1688	MailAcessCheckerbyxRisky.exe
1688	MailAcessCheckerbyxRisky.exe
2248	MailAcess Checker by xRisky.exe
2248	MailAcess Checker by xRisky.exe
2248	MailAcess Checker by xRisky.exe
2248	MailAcess Checker by xRisky.exe
2248	MailAcess Checker by xRisky.exe
2248	MailAcess Checker by xRisky.exe
2580	cmd.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1688-19-0x0000000000A10000-0x00000000019C8000-memory.dmp	themida
behavioral1/memory/1688-20-0x0000000000A10000-0x00000000019C8000-memory.dmp	themida
behavioral1/memory/1688-44-0x0000000000A10000-0x00000000019C8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MailAcessCheckerbyxRisky.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1688	MailAcessCheckerbyxRisky.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContainerRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcessCheckerbyxRisky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MailAcess Checker by xRisky.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2080	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
2864	ContainerRuntime.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	2864	ContainerRuntime.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	ContainerRuntime.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1672	1688	MailAcessCheckerbyxRisky.exe	30
PID 1688 wrote to memory of 1672	1688	MailAcessCheckerbyxRisky.exe	30
PID 1688 wrote to memory of 1672	1688	MailAcessCheckerbyxRisky.exe	30
PID 1688 wrote to memory of 1672	1688	MailAcessCheckerbyxRisky.exe	30
PID 1688 wrote to memory of 2248	1688	MailAcessCheckerbyxRisky.exe	31
PID 1688 wrote to memory of 2248	1688	MailAcessCheckerbyxRisky.exe	31
PID 1688 wrote to memory of 2248	1688	MailAcessCheckerbyxRisky.exe	31
PID 1688 wrote to memory of 2248	1688	MailAcessCheckerbyxRisky.exe	31
PID 1672 wrote to memory of 792	1672	svchost.exe	32
PID 1672 wrote to memory of 792	1672	svchost.exe	32
PID 1672 wrote to memory of 792	1672	svchost.exe	32
PID 1672 wrote to memory of 792	1672	svchost.exe	32
PID 1672 wrote to memory of 2580	1672	svchost.exe	34
PID 1672 wrote to memory of 2580	1672	svchost.exe	34
PID 1672 wrote to memory of 2580	1672	svchost.exe	34
PID 1672 wrote to memory of 2580	1672	svchost.exe	34
PID 792 wrote to memory of 1916	792	cmd.exe	36
PID 792 wrote to memory of 1916	792	cmd.exe	36
PID 792 wrote to memory of 1916	792	cmd.exe	36
PID 792 wrote to memory of 1916	792	cmd.exe	36
PID 2580 wrote to memory of 2080	2580	cmd.exe	37
PID 2580 wrote to memory of 2080	2580	cmd.exe	37
PID 2580 wrote to memory of 2080	2580	cmd.exe	37
PID 2580 wrote to memory of 2080	2580	cmd.exe	37
PID 2580 wrote to memory of 2864	2580	cmd.exe	38
PID 2580 wrote to memory of 2864	2580	cmd.exe	38
PID 2580 wrote to memory of 2864	2580	cmd.exe	38
PID 2580 wrote to memory of 2864	2580	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\MailAcessCheckerbyxRisky.exe
"C:\Users\Admin\AppData\Local\Temp\MailAcessCheckerbyxRisky.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2080
  - - C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
      "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2864
- C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MailKit.dll

Filesize
787KB

MD5
ba0255f547fab7eed60863ad27d24c97

SHA1
a5d095ac3d746eb400a314317a88c215d78cc304

SHA256
5fd7f167bdf289ae48b9f0f68e63c07370427d4eb8436005a5859b5bba3a7d2b

SHA512
e672daa19be91d84e5f2e0124b0508faeb241c91c6515f687a55b20d8febb2e2360e695aaf2e1d252e9ed0d494f71087315199f7b43eb6fa13949484ee177ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.bat

Filesize
160B

MD5
603d155bffec06ced5a7dd04c18d968f

SHA1
043a47e71666acb4e64b9b9e4e1182e923d07ef8

SHA256
f3b0b27df51a87416456a2859e2863ff174e1db30d561ed12214201f4cb28fdb

SHA512
ae31c4cbc102ef5d63b90718a5f42dd917aa05d702bb54ce1626305725934b43133dd855aee4c70cefdd980306facd61681f65351a677284b93f3633711cce30

Download Submit
\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe

Filesize
4.7MB

MD5
9f2beaa5ed3beba79c3e6b5f7a4b1246

SHA1
9e14e25d4045c45d2e856a73b300b3bdd008bce9

SHA256
4d97ed38044fe00d35f57d87102c56d07f411f081353b3ec77c22001aee65045

SHA512
560a1b877056176cc1e8c651da83ef4fd93e3029fb1ec8f8327ee04a971152e4d53f749d392830fbf31046ceb4d2527cc31632a677e7d95ab8b59250566926cf

Download Submit
\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dll

Filesize
305KB

MD5
0d30a398cec0ff006b6ea2b52d11e744

SHA1
4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

SHA256
8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

SHA512
8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

Download Submit
\Users\Admin\AppData\Local\Temp\MimeKit.dll

Filesize
971KB

MD5
695ef3be6c2169067e0f1d9f7d99bc27

SHA1
24185ff27f8a64fb71abf29b8f1338492cd7c0c6

SHA256
78d4f282269afba07ba89d1434dc1c3f9c48097fc252e93cf94e493ac8c109fd

SHA512
b3c7d1cee7f6ae16d66caf1d39113c0b5fe1b7ac4fb813134450679c82a2d306293799efc66c4d2ffed703dbc3921136f3cb393c2c4452791c8681129c74ed36

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
61KB

MD5
89ae031a0e2f7f28576a63d3c100dcaf

SHA1
6b26dfe7e76fbc96109a4d0773593443277978df

SHA256
acaa87f43a617016d09caeb26c1e30d9e9fd069fcbe2165723f80a0056aaf6bf

SHA512
aea507c78832cca5bf4b7c16ac5ba9b4b87028d2a99fbd1ca535a6336952516ab74571475f2a074b89b9c12754a2979803a3aba74c7a326f2c70a8431a7010d6

Download Submit
memory/1672-67-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1672-58-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1672-29-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1672-28-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/1688-19-0x0000000000A10000-0x00000000019C8000-memory.dmp

Filesize
15.7MB

Download
memory/1688-43-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-4-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-14-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-13-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-18-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-0-0x0000000000A10000-0x00000000019C8000-memory.dmp

Filesize
15.7MB

Download
memory/1688-20-0x0000000000A10000-0x00000000019C8000-memory.dmp

Filesize
15.7MB

Download
memory/1688-6-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-7-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-8-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-9-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-44-0x0000000000A10000-0x00000000019C8000-memory.dmp

Filesize
15.7MB

Download
memory/1688-5-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-1-0x0000000076AA1000-0x0000000076AA2000-memory.dmp

Filesize
4KB

Download
memory/1688-10-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-2-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-3-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-11-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-12-0x0000000076A90000-0x0000000076BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2248-53-0x0000000005080000-0x000000000517A000-memory.dmp

Filesize
1000KB

Download
memory/2248-57-0x0000000002340000-0x0000000002394000-memory.dmp

Filesize
336KB

Download
memory/2248-49-0x0000000004CC0000-0x0000000004D8C000-memory.dmp

Filesize
816KB

Download
memory/2248-45-0x00000000001B0000-0x000000000066E000-memory.dmp

Filesize
4.7MB

Download
memory/2864-72-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download