asyncrat | ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d

Analysis

max time kernel
120s
max time network
116s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce0eb5168feda8b72aa9cbfe311378e0N.exe
Size

63KB
MD5

ce0eb5168feda8b72aa9cbfe311378e0
SHA1

18248cf6a415bc816b0a983b3dd74da7a9ee9023
SHA256

ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d
SHA512

5a2fa589276afcac414ebb0424f1a56bdeb28cd8999f8902c81083961eecfd7b13639df67f52375c32fc7b5e616724baa79b722508414db5e7d12e1af4268013
SSDEEP

768:iK7epXkjhxfm785YC8A+Xz2peyr61urX1+T4uoSBGHmDbDTph0oXI9tBE9SuQdph:NDhxf8Qn0tYUbJh94ZuQdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

and-statements.gl.at.ply.gg:43442

Attributes

delay
1
install
true
install_file
test.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00080000000120fe-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2632	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3036	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe
1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe
2632	test.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe
Token: SeDebugPrivilege	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe
Token: SeDebugPrivilege	2632	test.exe
Token: SeDebugPrivilege	2632	test.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 668	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	29
PID 1824 wrote to memory of 668	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	29
PID 1824 wrote to memory of 668	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	29
PID 1824 wrote to memory of 2784	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	31
PID 1824 wrote to memory of 2784	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	31
PID 1824 wrote to memory of 2784	1824	ce0eb5168feda8b72aa9cbfe311378e0N.exe	31
PID 2784 wrote to memory of 3036	2784	cmd.exe	33
PID 2784 wrote to memory of 3036	2784	cmd.exe	33
PID 2784 wrote to memory of 3036	2784	cmd.exe	33
PID 668 wrote to memory of 2596	668	cmd.exe	34
PID 668 wrote to memory of 2596	668	cmd.exe	34
PID 668 wrote to memory of 2596	668	cmd.exe	34
PID 2784 wrote to memory of 2632	2784	cmd.exe	35
PID 2784 wrote to memory of 2632	2784	cmd.exe	35
PID 2784 wrote to memory of 2632	2784	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce0eb5168feda8b72aa9cbfe311378e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ce0eb5168feda8b72aa9cbfe311378e0N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Local\Temp\test.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2596
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
63KB

MD5
ce0eb5168feda8b72aa9cbfe311378e0

SHA1
18248cf6a415bc816b0a983b3dd74da7a9ee9023

SHA256
ae36b5486b5f95cb451985cf270963956822bbfaded42c35da3abced9bff2f3d

SHA512
5a2fa589276afcac414ebb0424f1a56bdeb28cd8999f8902c81083961eecfd7b13639df67f52375c32fc7b5e616724baa79b722508414db5e7d12e1af4268013

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp.bat

Filesize
151B

MD5
959a8174ae7fe590c2e11756d8661176

SHA1
30abaf46b7c84c5971de06724e543220503459ce

SHA256
e4a8134936ab30296c9764398025183e3e87498ced50e321ed1058890f0fc27f

SHA512
36878ea60bf6f2b57834b392dc765dd557737a654a73a72531e6d798fae2dc161383c02d060951112f85a530a4e44ba80ea2f6e2267fe2b121cbd538eb4189ca

Download Submit
memory/1824-0-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/1824-1-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/1824-2-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-3-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-13-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-17-0x0000000000F30000-0x0000000000F46000-memory.dmp

Filesize
88KB

Download