asyncrat | 9fde4361d7beadb8c11afed5b0518211740cef76ea03146e98a8337581e02f7e

Resubmissions

11-08-2024 01:31

240811-bxn8dsydpp 10

11-08-2024 01:29

240811-bwl2mssgld 10

Analysis

max time kernel
147s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
11-08-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

buidl.exe
Size

63KB
MD5

9c2d4871014553f542534fce03805000
SHA1

cd44e0ee979718203d896fcc7dcb5cc5077eb721
SHA256

9fde4361d7beadb8c11afed5b0518211740cef76ea03146e98a8337581e02f7e
SHA512

7d15b22083a0132440297035e5854b318e2aadc615c7959285bc8516292b19f7cd1b062350bde02397e562952ec0910100c4988bec2d92b4ca394b76b1bb7442
SSDEEP

768:PHDvlKazXYN78NwC8A+XuqazcBRL5JTk1+T4KSBGHmDbD/ph0oXOlKYsN3tlSusV:btTXA9dSJYUbdh9OlAF+usdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Attributes

delay
1
install
true
install_file
Discord.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/zs3YKzJ3

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000900000001aa9c-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2352	Discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
776	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe
904	buidl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	buidl.exe
Token: SeDebugPrivilege	2352	Discord.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2552	904	buidl.exe	70
PID 904 wrote to memory of 2552	904	buidl.exe	70
PID 904 wrote to memory of 5068	904	buidl.exe	72
PID 904 wrote to memory of 5068	904	buidl.exe	72
PID 2552 wrote to memory of 1008	2552	cmd.exe	74
PID 2552 wrote to memory of 1008	2552	cmd.exe	74
PID 5068 wrote to memory of 776	5068	cmd.exe	75
PID 5068 wrote to memory of 776	5068	cmd.exe	75
PID 5068 wrote to memory of 2352	5068	cmd.exe	76
PID 5068 wrote to memory of 2352	5068	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\buidl.exe
"C:\Users\Admin\AppData\Local\Temp\buidl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE9F2.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:776
- - C:\Users\Admin\AppData\Roaming\Discord.exe
    "C:\Users\Admin\AppData\Roaming\Discord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE9F2.tmp.bat

Filesize
151B

MD5
3a588c623d2911671005619fb3f0aa72

SHA1
d2b91877219e130f9f7e32de97962cdb21595dae

SHA256
11c735a3236b3ec231f54bb0bb31199e572f814b3f5e98939ddb4bf2f5e5dd0f

SHA512
e1109085aac2e23b9baaf399d50b18724f71b5df87a44794c5f5a0268f04624ef225917679704dee7055c2697c7f7de17ba4937b3742c4a9aac6851097fdaec7

Download Submit
C:\Users\Admin\AppData\Roaming\Discord.exe

Filesize
63KB

MD5
9c2d4871014553f542534fce03805000

SHA1
cd44e0ee979718203d896fcc7dcb5cc5077eb721

SHA256
9fde4361d7beadb8c11afed5b0518211740cef76ea03146e98a8337581e02f7e

SHA512
7d15b22083a0132440297035e5854b318e2aadc615c7959285bc8516292b19f7cd1b062350bde02397e562952ec0910100c4988bec2d92b4ca394b76b1bb7442

Download Submit
memory/904-0-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/904-1-0x00007FFB83AE3000-0x00007FFB83AE4000-memory.dmp

Filesize
4KB

Download
memory/904-2-0x00007FFB83AE0000-0x00007FFB844CC000-memory.dmp

Filesize
9.9MB

Download
memory/904-3-0x00007FFB83AE0000-0x00007FFB844CC000-memory.dmp

Filesize
9.9MB

Download
memory/904-9-0x00007FFB83AE0000-0x00007FFB844CC000-memory.dmp

Filesize
9.9MB

Download