asyncrat | de3e68021cc2c807e4c0297ab277396acd8a8939031bab33a7b72323b90f3f81

General

Target

AsyncClient.exe
Size

45KB
MD5

26e9b2f985b2680cf1a1881bd5e23b4e
SHA1

8af6aa09c15ac2947666a6f8778f75da4bfbcb1c
SHA256

de3e68021cc2c807e4c0297ab277396acd8a8939031bab33a7b72323b90f3f81
SHA512

964803e4a82111ee7fd3648b9fc1d3d3260a43f2282d27ed4789f90060a8f240bece4712ee9c74004a5b7b1bd91fbce90c13709269d3e07b27c360e039aef7da
SSDEEP

768:KuETKT0k3qXWUrV6e1mo2qyIQKjPGaG6PIyzjbFgX3ilHt7MPbCiMGYkZaOwpo4+:KuETKT0cE2/1KTkDy3bCXSRt7AmGYmau

Score

10^/10

asyncrat realxworm discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

realxworm

C2

147.185.221.20:9835

147.185.221.20:18563

Mutex

eCCoCTFPGVfF

Attributes

delay
3
install
true
install_file
ToiletRizz.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c00000001da30-12.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	AsyncClient.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	ToiletRizz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToiletRizz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3304	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2104	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1812	ToiletRizz.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe
5000	AsyncClient.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	AsyncClient.exe
Token: SeDebugPrivilege	1812	ToiletRizz.exe
Token: SeDebugPrivilege	1812	ToiletRizz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1812	ToiletRizz.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2776	5000	AsyncClient.exe	88
PID 5000 wrote to memory of 2776	5000	AsyncClient.exe	88
PID 5000 wrote to memory of 2776	5000	AsyncClient.exe	88
PID 5000 wrote to memory of 1520	5000	AsyncClient.exe	90
PID 5000 wrote to memory of 1520	5000	AsyncClient.exe	90
PID 5000 wrote to memory of 1520	5000	AsyncClient.exe	90
PID 2776 wrote to memory of 2104	2776	cmd.exe	92
PID 2776 wrote to memory of 2104	2776	cmd.exe	92
PID 2776 wrote to memory of 2104	2776	cmd.exe	92
PID 1520 wrote to memory of 3304	1520	cmd.exe	93
PID 1520 wrote to memory of 3304	1520	cmd.exe	93
PID 1520 wrote to memory of 3304	1520	cmd.exe	93
PID 1520 wrote to memory of 1812	1520	cmd.exe	94
PID 1520 wrote to memory of 1812	1520	cmd.exe	94
PID 1520 wrote to memory of 1812	1520	cmd.exe	94
PID 1812 wrote to memory of 1068	1812	ToiletRizz.exe	107
PID 1812 wrote to memory of 1068	1812	ToiletRizz.exe	107
PID 1812 wrote to memory of 1068	1812	ToiletRizz.exe	107
PID 1068 wrote to memory of 5076	1068	csc.exe	109
PID 1068 wrote to memory of 5076	1068	csc.exe	109
PID 1068 wrote to memory of 5076	1068	csc.exe	109

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ToiletRizz" /tr '"C:\Users\Admin\AppData\Roaming\ToiletRizz.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "ToiletRizz" /tr '"C:\Users\Admin\AppData\Roaming\ToiletRizz.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3304
- - C:\Users\Admin\AppData\Roaming\ToiletRizz.exe
    "C:\Users\Admin\AppData\Roaming\ToiletRizz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kawtoydw\kawtoydw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25DD.tmp" "c:\Users\Admin\AppData\Local\Temp\kawtoydw\CSCCF1C920C454D424794575797765DEB30.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25DD.tmp

Filesize
1KB

MD5
17425c905456e18bba30a54b06b322ef

SHA1
fca26f17ad5bc2b33130fbb0630646d2176e5fde

SHA256
3ee93fed8310ec4a3d130fbaa1ba60767dedbf72f6b97e759769fd288d8740ac

SHA512
a9ff6d0e303561d35585594d78247c196b5b103fd603d53e44eed4c68a3ca3202e8f33abcb75fc11f7dfad74075845c39948b33f082f899714ba6052e5a1189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kawtoydw\kawtoydw.exe

Filesize
3KB

MD5
808e93838c71cfb461ded6266acf868e

SHA1
d62c4254665b415ad34e727ed667143e5f0a2f78

SHA256
bcdabfbaf20209d7a88575a9e93aa53a7d03ad1225c9888c43c94d45e7579fc7

SHA512
c4678890fff8a99520558c94e0db500427da09f82aa9c5e1dccc9e183a0acb9b55404e1452ea7bd20c2dbb60cf3609aa04ceb5829d6966b38891b73f65e2f5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.bat

Filesize
154B

MD5
5efc8770cc3a274c26e75336d3afd794

SHA1
4e33a732c7da89706fd7dc3a669de42ab4d338f4

SHA256
a6f98c2d77f1f2290e1998ebda45a28787b2ac5ff86a137db330eff02e841d74

SHA512
46d146af85c0351cc4db46f8ea7ee444cc82adf6c49e20245a7c05937b685dcfc0134e12ca6e5eed434de0f9910be26dcb0f85ba81222a9cd9334653d8948b8d

Download Submit
C:\Users\Admin\AppData\Roaming\ToiletRizz.exe

Filesize
45KB

MD5
26e9b2f985b2680cf1a1881bd5e23b4e

SHA1
8af6aa09c15ac2947666a6f8778f75da4bfbcb1c

SHA256
de3e68021cc2c807e4c0297ab277396acd8a8939031bab33a7b72323b90f3f81

SHA512
964803e4a82111ee7fd3648b9fc1d3d3260a43f2282d27ed4789f90060a8f240bece4712ee9c74004a5b7b1bd91fbce90c13709269d3e07b27c360e039aef7da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kawtoydw\CSCCF1C920C454D424794575797765DEB30.TMP

Filesize
1KB

MD5
e6a53f52cb13ae030067252745b729dd

SHA1
6919b4f4206a693866617036c2785ea239f6bbe5

SHA256
dc78b81465b077f57f3405e2857f620976089c1868c8e267a111e767ee68f993

SHA512
c6c8152725f2ca5b89a285d68b7614c52dd9daca26aab304951bcfdb7884614f6d90399004397345ae834fcdea5408c92c7073bb8855cd09aa66fbca3e8b2140

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kawtoydw\kawtoydw.0.cs

Filesize
346B

MD5
7db88fe66d13c508fa27f54cf0628f5e

SHA1
9643e268c3b79d11ddbb139376242f1be72fbc07

SHA256
ca3a1339317ac93d066a57d2a3c587e4b4ab0fa826fb9170d2d04644e5e24196

SHA512
d4064b39edd533eab962dbcf86c8c6039bfddc2fad4c0b997a5ee725c112b54e11d82617cbf7a229edadd601006736010acb9277c1581c2576efbc6c985ad6ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kawtoydw\kawtoydw.cmdline

Filesize
334B

MD5
1ac6f5d73931da6bf09eab45a3ec083f

SHA1
5028208df3dd6814e5ed883a832edb4d844e630f

SHA256
9e79a4f89a361d9c552b3731fa5e3087bcf0a24fbcf253e5721c2df6859cb690

SHA512
1296fe9a88cf61b60dbc2f71aa0747b206328c206ade11cf2a8cfc6b012f1ea593b649fab489c26dacc0232f3ce6621356030ab8058ada8ed4b1a4389dc1f004

Download Submit
memory/1812-18-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/1812-20-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1812-15-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/1812-16-0x0000000006350000-0x00000000063C6000-memory.dmp

Filesize
472KB

Download
memory/1812-17-0x00000000062D0000-0x0000000006338000-memory.dmp

Filesize
416KB

Download
memory/1812-14-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1812-19-0x00000000067D0000-0x0000000006862000-memory.dmp

Filesize
584KB

Download
memory/1812-37-0x00000000069B0000-0x00000000069B8000-memory.dmp

Filesize
32KB

Download
memory/1812-21-0x0000000006900000-0x0000000006978000-memory.dmp

Filesize
480KB

Download
memory/1812-22-0x0000000006C80000-0x0000000006CE2000-memory.dmp

Filesize
392KB

Download
memory/1812-23-0x0000000006200000-0x000000000620A000-memory.dmp

Filesize
40KB

Download
memory/1812-24-0x0000000006F50000-0x0000000006FE2000-memory.dmp

Filesize
584KB

Download
memory/1812-40-0x0000000007120000-0x0000000007182000-memory.dmp

Filesize
392KB

Download
memory/1812-39-0x00000000070C0000-0x0000000007124000-memory.dmp

Filesize
400KB

Download
memory/5000-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/5000-2-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-1-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/5000-3-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/5000-4-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/5000-9-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads