asyncrat | 39baa2688320d6153376687d27d0fc29c5d25cdfe8884476b1a5c0ba8e872987

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
Size

2.0MB
MD5

b4a77cea5a03f4a34f8d5640cebd44ac
SHA1

cff95695ce0d401135206f3a7dda81b91d3c6b1e
SHA256

4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7
SHA512

3b5e2edcc9d9be7f141d42e4dc67405d6bf6f6b423f6d18c4090bf46d421dda8743a4fec3599a1fcb8813ed3f1b4d514864741bc50c13fd183b42fa71a51f5fe
SSDEEP

49152:GZd4ryFkp8Y4N1Pq3FKHv6T0x5E/aHJEt050R:G7qrpddVBTBR

Score

10^/10

asyncrat amu discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

AMU

jnmanymen.ydns.eu:1470

Mutex

zVHQMfZojR9k

Attributes

delay
10
install
true
install_file
windows.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	file.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2776	cmd.exe
2876	PING.EXE
1572	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2876	PING.EXE
1572	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
Token: SeDebugPrivilege	1244	file.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2776	1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe	31
PID 1508 wrote to memory of 2776	1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe	31
PID 1508 wrote to memory of 2776	1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe	31
PID 1508 wrote to memory of 2776	1508	4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe	31
PID 2776 wrote to memory of 2876	2776	cmd.exe	33
PID 2776 wrote to memory of 2876	2776	cmd.exe	33
PID 2776 wrote to memory of 2876	2776	cmd.exe	33
PID 2776 wrote to memory of 2876	2776	cmd.exe	33
PID 2776 wrote to memory of 1572	2776	cmd.exe	34
PID 2776 wrote to memory of 1572	2776	cmd.exe	34
PID 2776 wrote to memory of 1572	2776	cmd.exe	34
PID 2776 wrote to memory of 1572	2776	cmd.exe	34
PID 2776 wrote to memory of 1244	2776	cmd.exe	35
PID 2776 wrote to memory of 1244	2776	cmd.exe	35
PID 2776 wrote to memory of 1244	2776	cmd.exe	35
PID 2776 wrote to memory of 1244	2776	cmd.exe	35
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36
PID 1244 wrote to memory of 2056	1244	file.exe	36

C:\Users\Admin\AppData\Local\Temp\4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe
"C:\Users\Admin\AppData\Local\Temp\4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\Admin\AppData\Local\Temp\4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 43
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2876
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 43
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1572
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Filesize
2.0MB

MD5
b4a77cea5a03f4a34f8d5640cebd44ac

SHA1
cff95695ce0d401135206f3a7dda81b91d3c6b1e

SHA256
4e96241248a8f9b7304190d21a081afb646f432d1ffbd3fbab7207515313fdd7

SHA512
3b5e2edcc9d9be7f141d42e4dc67405d6bf6f6b423f6d18c4090bf46d421dda8743a4fec3599a1fcb8813ed3f1b4d514864741bc50c13fd183b42fa71a51f5fe

Download Submit
memory/1244-27-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1244-26-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/1244-25-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-24-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-23-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-22-0x0000000001230000-0x0000000001442000-memory.dmp

Filesize
2.1MB

Download
memory/1508-5-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-4-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/1508-10-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-11-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-8-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/1508-6-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/1508-9-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-3-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-2-0x0000000005040000-0x000000000520A000-memory.dmp

Filesize
1.8MB

Download
memory/1508-1-0x0000000001390000-0x00000000015A2000-memory.dmp

Filesize
2.1MB

Download
memory/2056-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2056-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2056-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2056-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download