asyncrat | 589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9

General

Target

0x000900000001562c-52.exe
Size

46KB
MD5

10b549c788d008fc48cccac97d0d41f5
SHA1

f0c723bb0c9123875a1a208e3ec46f4ec4108be0
SHA256

589c8fa2d213b58ab009ff4caae02a61d4d60a6fa61567f208017fef136363a9
SHA512

bc7f033012190ba6ccc2c76c4d32a1814bb4960d209d39edf5960f27b51f3e448b4ae0d26c8b68f3239eb499abfdc1bea2324fc3d7841ea1521c5f0c42f4df88
SSDEEP

768:bqjrtbXgQQDykOicvHk3eHlWMPbPgF0q9+SohzEBYI6OCy2tYcFmVc6KD:bBDyXvZH0ub4FroSolY6O3KmVclD

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

Mutex

v5tvc5rc5ex77777

Attributes

delay
5
install
true
install_file
audiodvs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2620	audiodvs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2840	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1756	0x000900000001562c-52.exe
1756	0x000900000001562c-52.exe
1756	0x000900000001562c-52.exe
2620	audiodvs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	0x000900000001562c-52.exe
Token: SeDebugPrivilege	2620	audiodvs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2704	1756	0x000900000001562c-52.exe	31
PID 1756 wrote to memory of 2704	1756	0x000900000001562c-52.exe	31
PID 1756 wrote to memory of 2704	1756	0x000900000001562c-52.exe	31
PID 1756 wrote to memory of 2816	1756	0x000900000001562c-52.exe	33
PID 1756 wrote to memory of 2816	1756	0x000900000001562c-52.exe	33
PID 1756 wrote to memory of 2816	1756	0x000900000001562c-52.exe	33
PID 2816 wrote to memory of 2840	2816	cmd.exe	35
PID 2816 wrote to memory of 2840	2816	cmd.exe	35
PID 2816 wrote to memory of 2840	2816	cmd.exe	35
PID 2816 wrote to memory of 2620	2816	cmd.exe	36
PID 2816 wrote to memory of 2620	2816	cmd.exe	36
PID 2816 wrote to memory of 2620	2816	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x000900000001562c-52.exe
"C:\Users\Admin\AppData\Local\Temp\0x000900000001562c-52.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'audiodvs"' /tr "'C:\Users\Admin\AppData\Roaming\audiodvs.exe"'
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2704
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE456.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2840
- - C:\Users\Admin\AppData\Roaming\audiodvs.exe
    "C:\Users\Admin\AppData\Roaming\audiodvs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE456.tmp.bat

Filesize
152B

MD5
47e6073f2c437e24f21b738a5919fd74

SHA1
5fcd71a253bcf91598de9716da4a84aee0f1d7ac

SHA256
bfbbcc94f6642fd245495dc28827c730e3b24d8b8842a515ee4c03dd20fafd61

SHA512
d8e9912983e13889aaab3cd2175366fe207a0f43402c32769f026403b33d2904b13bb2ba7416723b66ccf04ccd50cd8ffd089254ed55a5d87c14cf158018b117

Download Submit
C:\Users\Admin\AppData\Roaming\audiodvs.exe

Filesize
41.6MB

MD5
d30da65f809b183afbd2577162051772

SHA1
a6174554ce87a7a4c59655138985dcdac30a70f8

SHA256
d0938035495b7624f46286177001f7ea75e98ca181d6fbe010cd4f171039e54e

SHA512
f97cc1cb4cae7373827fa3acafca674f40232818d50bcafad1c09c906ef7f8bb4fd4e7c29369a7c908f475cc74f1360d26f6fe426d687d15e223a784560ca76d

Download Submit
memory/1756-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1756-1-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/1756-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-12-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-16-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads