asyncrat | 7caa89af07680e877b3bdef6b354687b3540dffe556ad9e8797f111aff3b784a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shellbag anylizer.exe
Size

237KB
MD5

52eb3517bc8917d50d5426bece8fe91c
SHA1

155edb28b839902d53051e3d3e442896a6ca54e0
SHA256

7caa89af07680e877b3bdef6b354687b3540dffe556ad9e8797f111aff3b784a
SHA512

de247dbb553d7bd910c01abf8a26c675d2fac68bdd64b7d6539d91940f35aef9ed913a150d9b7153f44ad3c23056461b8d92b50ccf841f93a09e0f57f3e75096
SSDEEP

6144:PJLbLwF9kfK8rpClz0KBb6o589GHWHWujiSPbQ:PJdgBuj/Ps

Score

10^/10

asyncrat stealerium default collection credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Attributes

delay
1
install
true
install_file
update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/m5mgzzdQ

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000400000001e794-11.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Shellbag anylizer.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
18	pastebin.com
19	0.tcp.eu.ngrok.io

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	icanhazip.com
45	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3016	cmd.exe
3980	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4948	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
928	Shellbag anylizer.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe
1088	update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	Shellbag anylizer.exe
Token: SeDebugPrivilege	928	Shellbag anylizer.exe
Token: SeDebugPrivilege	1088	update.exe
Token: SeDebugPrivilege	1088	update.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 436	928	Shellbag anylizer.exe	87
PID 928 wrote to memory of 436	928	Shellbag anylizer.exe	87
PID 928 wrote to memory of 2612	928	Shellbag anylizer.exe	88
PID 928 wrote to memory of 2612	928	Shellbag anylizer.exe	88
PID 2612 wrote to memory of 4948	2612	cmd.exe	91
PID 2612 wrote to memory of 4948	2612	cmd.exe	91
PID 436 wrote to memory of 3504	436	cmd.exe	92
PID 436 wrote to memory of 3504	436	cmd.exe	92
PID 2612 wrote to memory of 1088	2612	cmd.exe	93
PID 2612 wrote to memory of 1088	2612	cmd.exe	93
PID 1088 wrote to memory of 3016	1088	update.exe	97
PID 1088 wrote to memory of 3016	1088	update.exe	97
PID 3016 wrote to memory of 1228	3016	cmd.exe	99
PID 3016 wrote to memory of 1228	3016	cmd.exe	99
PID 3016 wrote to memory of 3980	3016	cmd.exe	100
PID 3016 wrote to memory of 3980	3016	cmd.exe	100
PID 3016 wrote to memory of 2636	3016	cmd.exe	101
PID 3016 wrote to memory of 2636	3016	cmd.exe	101
PID 1088 wrote to memory of 4600	1088	update.exe	102
PID 1088 wrote to memory of 4600	1088	update.exe	102
PID 4600 wrote to memory of 2648	4600	cmd.exe	104
PID 4600 wrote to memory of 2648	4600	cmd.exe	104
PID 4600 wrote to memory of 2468	4600	cmd.exe	105
PID 4600 wrote to memory of 2468	4600	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.exe

C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe
"C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4948
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1088
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1228
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3980
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:2636
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2648
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.bat

Filesize
150B

MD5
a9a93497fafd1b642088668d7c7296f6

SHA1
63803728d22c1893b37a983fb240733bc2dedb9b

SHA256
402c07bb0059a02e564bba45d5686f324b87680cbe0a34011bd402eef20f7ab9

SHA512
dd688cda336a726c5baac04eee193f5d29e35f8c619cfe6ca8ebb2fabdc97a837ea68f554baaa18afddd18988ed59a1abd4a2cce88dca2093971790440e4b065

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
2KB

MD5
d0a631e6cbd68a15ac5afaef65f7f810

SHA1
37ab17dc205ed0d52bab4e12f94ce64cfab9524e

SHA256
6370f8a572dae0351e6c5d86551296fb13c52c148ac3068e33e57b85c98808ac

SHA512
46dbc471463d8fdebe99f0deadf033f916afea233240ac5d8e221ef7beffab052748804d51d6cb19b8713654057e8718f8891b2503801fae4b6126387c9aa6d5

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
3KB

MD5
2a225254258d84e33d2d94e6736f2663

SHA1
ded423db95431823a1bfbacd125e75f9a1bd170d

SHA256
fadb9fbb9812eda37cc7e1c5dd6c81925a9da913a51d465bb81edcc8de948fee

SHA512
c07524bdf830063c95524c13f5a968495d16f7eec90067fe9efe71c798d6aed3dcb49907f07c4090bc1589f0a9b2ff9493f74113b3965f27aba0ef763f6e93ba

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
4KB

MD5
ec644e66bfccf84a004e7c553afcd9e8

SHA1
b08a63646b92cb6a81473d93fbdf8d9686483089

SHA256
25ad52be8480a2dbbcaef2d91c32822cce6e8d30866cc4fc2a26c33c965cd28e

SHA512
bca116b551e7cea2746b700f49000117162de5c0e840f6de75cce59c6a843ab1fee270029c12a87f8c5b22d32d7d5d6bf3038cd09a212e257b1509e2d5c43f92

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
a87f1739c4959829586212d2614d4b5c

SHA1
09189e1cb099b2bef132bc7206ae6085f404bc58

SHA256
1a6a9c15781cbecf836bfd3d81c6ec3408f606c69d2aaa9c2101c17933f7434c

SHA512
20117bdd6bf4768b3c2030caa68a0eea18ae4de5315fabbb572e7a83066eb196cc748d4f74c62418ea4a1b1b3e5df09a6b650b58b836820ad46b2f46361f427e

Download Submit
C:\Users\Admin\AppData\Local\f18aec123e3ad2eb82bba9f759abe055\Admin@PVMNUDVD_en-US\System\Process.txt

Filesize
1KB

MD5
ac2751b0e505c176dbc4a80277cff490

SHA1
f16863ba7913f5b9805205324e6ddecf8fddf312

SHA256
7c2ac5f0d0ad4433a7a763da679dae7d946f1370755b743ff2891b973b306532

SHA512
5b116daff20096e45a819564ff74edd0a9b3f4e46e7357e54846e596fbf754dc9adaa0c13b0c5888d6fe71e25b3b0f1c5fec5ad04aa07de66a28e41bc60a24f3

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
237KB

MD5
52eb3517bc8917d50d5426bece8fe91c

SHA1
155edb28b839902d53051e3d3e442896a6ca54e0

SHA256
7caa89af07680e877b3bdef6b354687b3540dffe556ad9e8797f111aff3b784a

SHA512
de247dbb553d7bd910c01abf8a26c675d2fac68bdd64b7d6539d91940f35aef9ed913a150d9b7153f44ad3c23056461b8d92b50ccf841f93a09e0f57f3e75096

Download Submit
memory/928-8-0x00007FF999440000-0x00007FF999F01000-memory.dmp

Filesize
10.8MB

Download
memory/928-2-0x00007FF999440000-0x00007FF999F01000-memory.dmp

Filesize
10.8MB

Download
memory/928-7-0x00007FF999440000-0x00007FF999F01000-memory.dmp

Filesize
10.8MB

Download
memory/928-0-0x0000000000E40000-0x0000000000E82000-memory.dmp

Filesize
264KB

Download
memory/928-1-0x00007FF999443000-0x00007FF999445000-memory.dmp

Filesize
8KB

Download
memory/1088-13-0x000000001DC30000-0x000000001DCA6000-memory.dmp

Filesize
472KB

Download
memory/1088-21-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

Filesize
40KB

Download
memory/1088-16-0x000000001E150000-0x000000001E2D8000-memory.dmp

Filesize
1.5MB

Download
memory/1088-15-0x000000001DBB0000-0x000000001DBCE000-memory.dmp

Filesize
120KB

Download
memory/1088-14-0x000000001B760000-0x000000001B794000-memory.dmp

Filesize
208KB

Download
memory/1088-166-0x0000000001240000-0x00000000012BA000-memory.dmp

Filesize
488KB

Download
memory/1088-201-0x00000000012E0000-0x00000000012FC000-memory.dmp

Filesize
112KB

Download
memory/1088-202-0x000000001C100000-0x000000001C132000-memory.dmp

Filesize
200KB

Download