asyncrat | 4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8

Analysis

max time kernel
40s
max time network
45s
platform
windows7_x64
resource
win7-20240729-en
submitted
17/08/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

brr.exe
Size

827KB
MD5

92867f5de7d9de203c1f9f4781961863
SHA1

103fa7ef6a97862f568d410e7607e34f1c41da18
SHA256

4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8
SHA512

818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34
SSDEEP

12288:xMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9nKas/fHmwj:xnsJ39LyjbJkQFMhmC+6GD9KTuA

Score

10^/10

asyncrat xred crown backdoor discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Crown

127.0.0.1:9090

127.0.0.1:5013

147.185.221.22:9090

147.185.221.22:5013

Mutex

vopltdrmzkidmoli

Attributes

delay
1
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c00000001226d-15.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
1916	._cache_brr.exe
2148	Synaptics.exe
2740	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2112	brr.exe
2112	brr.exe
2112	brr.exe
2148	Synaptics.exe
2148	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	brr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
800	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	._cache_Synaptics.exe
Token: SeDebugPrivilege	1916	._cache_brr.exe
Token: SeIncreaseQuotaPrivilege	1916	._cache_brr.exe
Token: SeSecurityPrivilege	1916	._cache_brr.exe
Token: SeTakeOwnershipPrivilege	1916	._cache_brr.exe
Token: SeLoadDriverPrivilege	1916	._cache_brr.exe
Token: SeSystemProfilePrivilege	1916	._cache_brr.exe
Token: SeSystemtimePrivilege	1916	._cache_brr.exe
Token: SeProfSingleProcessPrivilege	1916	._cache_brr.exe
Token: SeIncBasePriorityPrivilege	1916	._cache_brr.exe
Token: SeCreatePagefilePrivilege	1916	._cache_brr.exe
Token: SeBackupPrivilege	1916	._cache_brr.exe
Token: SeRestorePrivilege	1916	._cache_brr.exe
Token: SeShutdownPrivilege	1916	._cache_brr.exe
Token: SeDebugPrivilege	1916	._cache_brr.exe
Token: SeSystemEnvironmentPrivilege	1916	._cache_brr.exe
Token: SeRemoteShutdownPrivilege	1916	._cache_brr.exe
Token: SeUndockPrivilege	1916	._cache_brr.exe
Token: SeManageVolumePrivilege	1916	._cache_brr.exe
Token: 33	1916	._cache_brr.exe
Token: 34	1916	._cache_brr.exe
Token: 35	1916	._cache_brr.exe
Token: SeIncreaseQuotaPrivilege	1916	._cache_brr.exe
Token: SeSecurityPrivilege	1916	._cache_brr.exe
Token: SeTakeOwnershipPrivilege	1916	._cache_brr.exe
Token: SeLoadDriverPrivilege	1916	._cache_brr.exe
Token: SeSystemProfilePrivilege	1916	._cache_brr.exe
Token: SeSystemtimePrivilege	1916	._cache_brr.exe
Token: SeProfSingleProcessPrivilege	1916	._cache_brr.exe
Token: SeIncBasePriorityPrivilege	1916	._cache_brr.exe
Token: SeCreatePagefilePrivilege	1916	._cache_brr.exe
Token: SeBackupPrivilege	1916	._cache_brr.exe
Token: SeRestorePrivilege	1916	._cache_brr.exe
Token: SeShutdownPrivilege	1916	._cache_brr.exe
Token: SeDebugPrivilege	1916	._cache_brr.exe
Token: SeSystemEnvironmentPrivilege	1916	._cache_brr.exe
Token: SeRemoteShutdownPrivilege	1916	._cache_brr.exe
Token: SeUndockPrivilege	1916	._cache_brr.exe
Token: SeManageVolumePrivilege	1916	._cache_brr.exe
Token: 33	1916	._cache_brr.exe
Token: 34	1916	._cache_brr.exe
Token: 35	1916	._cache_brr.exe
Token: SeIncreaseQuotaPrivilege	2740	._cache_Synaptics.exe
Token: SeSecurityPrivilege	2740	._cache_Synaptics.exe
Token: SeTakeOwnershipPrivilege	2740	._cache_Synaptics.exe
Token: SeLoadDriverPrivilege	2740	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2740	._cache_Synaptics.exe
Token: SeSystemtimePrivilege	2740	._cache_Synaptics.exe
Token: SeProfSingleProcessPrivilege	2740	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2740	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	2740	._cache_Synaptics.exe
Token: SeBackupPrivilege	2740	._cache_Synaptics.exe
Token: SeRestorePrivilege	2740	._cache_Synaptics.exe
Token: SeShutdownPrivilege	2740	._cache_Synaptics.exe
Token: SeDebugPrivilege	2740	._cache_Synaptics.exe
Token: SeSystemEnvironmentPrivilege	2740	._cache_Synaptics.exe
Token: SeRemoteShutdownPrivilege	2740	._cache_Synaptics.exe
Token: SeUndockPrivilege	2740	._cache_Synaptics.exe
Token: SeManageVolumePrivilege	2740	._cache_Synaptics.exe
Token: 33	2740	._cache_Synaptics.exe
Token: 34	2740	._cache_Synaptics.exe
Token: 35	2740	._cache_Synaptics.exe
Token: SeIncreaseQuotaPrivilege	2740	._cache_Synaptics.exe
Token: SeSecurityPrivilege	2740	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
800	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1916	2112	brr.exe	30
PID 2112 wrote to memory of 1916	2112	brr.exe	30
PID 2112 wrote to memory of 1916	2112	brr.exe	30
PID 2112 wrote to memory of 1916	2112	brr.exe	30
PID 2112 wrote to memory of 2148	2112	brr.exe	31
PID 2112 wrote to memory of 2148	2112	brr.exe	31
PID 2112 wrote to memory of 2148	2112	brr.exe	31
PID 2112 wrote to memory of 2148	2112	brr.exe	31
PID 2148 wrote to memory of 2740	2148	Synaptics.exe	32
PID 2148 wrote to memory of 2740	2148	Synaptics.exe	32
PID 2148 wrote to memory of 2740	2148	Synaptics.exe	32
PID 2148 wrote to memory of 2740	2148	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\brr.exe
"C:\Users\Admin\AppData\Local\Temp\brr.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2740

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
827KB

MD5
92867f5de7d9de203c1f9f4781961863

SHA1
103fa7ef6a97862f568d410e7607e34f1c41da18

SHA256
4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8

SHA512
818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe

Filesize
74KB

MD5
05a780ca5b8f32b1fbbc0b8e0012247f

SHA1
518bbe68186667deda350cf3475bee4dee5e071c

SHA256
4b685783cf16a471b5c4b8c117e9b12ad37b590b521a003167eb3692c9b66df0

SHA512
4b52ec4a1dfb96fa5c6d4109c2bbc0d64ec130d5f52cca9ce947a3b371eb8a791c1b9687829f3fcb32946ebe8bdbf8055239c86a7b7e2c9bffa9256d74580243

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUxdLaZc.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/800-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1916-17-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/2112-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2112-26-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2148-59-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2148-60-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2740-37-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads