asyncrat | 2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb

General

Target

rat.exe
Size

48KB
MD5

fcf89ebf3f7353591c0784c354fb1ff0
SHA1

a4df86134af908d17c434fbfcdbe8452df1e0839
SHA256

2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb
SHA512

a974178f767d25958ed684997f12be01d3b536cb5ea07eb2380bec3e9b9dddf2a2db7183c665a5ca5402220bff4e301eb8f9448b8d83ae514af3efbd9987b76c
SSDEEP

768:Jok4oILg+k5+biSP/DaGTyiMb8YbegeiAA0FvvEgK/JCVVc6KN:JokXRomGwzbhPB01nkJCVVclN

Score

10^/10

asyncrat solara rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Solara

C2

legacysoud.duckdns.org:8848

Attributes

delay
1
install
true
install_file
bfsvc.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0026000000018f84-14.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2812	bfsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3056	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2084	rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	rat.exe
Token: SeDebugPrivilege	2812	bfsvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2468	2084	rat.exe	29
PID 2084 wrote to memory of 2468	2084	rat.exe	29
PID 2084 wrote to memory of 2468	2084	rat.exe	29
PID 2084 wrote to memory of 2780	2084	rat.exe	31
PID 2084 wrote to memory of 2780	2084	rat.exe	31
PID 2084 wrote to memory of 2780	2084	rat.exe	31
PID 2780 wrote to memory of 3056	2780	cmd.exe	33
PID 2780 wrote to memory of 3056	2780	cmd.exe	33
PID 2780 wrote to memory of 3056	2780	cmd.exe	33
PID 2468 wrote to memory of 2784	2468	cmd.exe	34
PID 2468 wrote to memory of 2784	2468	cmd.exe	34
PID 2468 wrote to memory of 2784	2468	cmd.exe	34
PID 2780 wrote to memory of 2812	2780	cmd.exe	35
PID 2780 wrote to memory of 2812	2780	cmd.exe	35
PID 2780 wrote to memory of 2812	2780	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rat.exe
"C:\Users\Admin\AppData\Local\Temp\rat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bfsvc" /tr '"C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "bfsvc" /tr '"C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp279D.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
48KB

MD5
fcf89ebf3f7353591c0784c354fb1ff0

SHA1
a4df86134af908d17c434fbfcdbe8452df1e0839

SHA256
2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb

SHA512
a974178f767d25958ed684997f12be01d3b536cb5ea07eb2380bec3e9b9dddf2a2db7183c665a5ca5402220bff4e301eb8f9448b8d83ae514af3efbd9987b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp279D.tmp.bat

Filesize
152B

MD5
90274e98a6f9ede670d7ff512b6e1c52

SHA1
1b992c90bc82f95297775f3be8a55dff06b0bc68

SHA256
1420f694748253185ae8a960f02a81a07c6ca08f8d5196b7b43a108942a870ad

SHA512
76e7f929ad892ac8176f962d9b9fab638fab595fb088bbc04823f1a4688a4df1ca3ef3d9e1c14f17caeda51e2c18a216f7e1af3347cf0dcb7508add0e438f889

Download Submit
memory/2084-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/2084-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-12-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-16-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads