asyncrat | 4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
17-08-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

brr.exe
Size

827KB
MD5

92867f5de7d9de203c1f9f4781961863
SHA1

103fa7ef6a97862f568d410e7607e34f1c41da18
SHA256

4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8
SHA512

818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34
SSDEEP

12288:xMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9nKas/fHmwj:xnsJ39LyjbJkQFMhmC+6GD9KTuA

Score

10^/10

asyncrat xred crown backdoor discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Crown

127.0.0.1:9090

127.0.0.1:5013

147.185.221.22:9090

147.185.221.22:5013

Mutex

vopltdrmzkidmoli

Attributes

delay
1
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023394-4.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	brr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3636	._cache_brr.exe
4928	Synaptics.exe
4840	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	brr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	brr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3856	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	._cache_brr.exe
Token: SeDebugPrivilege	4840	._cache_Synaptics.exe
Token: SeIncreaseQuotaPrivilege	3636	._cache_brr.exe
Token: SeSecurityPrivilege	3636	._cache_brr.exe
Token: SeTakeOwnershipPrivilege	3636	._cache_brr.exe
Token: SeLoadDriverPrivilege	3636	._cache_brr.exe
Token: SeSystemProfilePrivilege	3636	._cache_brr.exe
Token: SeSystemtimePrivilege	3636	._cache_brr.exe
Token: SeProfSingleProcessPrivilege	3636	._cache_brr.exe
Token: SeIncBasePriorityPrivilege	3636	._cache_brr.exe
Token: SeCreatePagefilePrivilege	3636	._cache_brr.exe
Token: SeBackupPrivilege	3636	._cache_brr.exe
Token: SeRestorePrivilege	3636	._cache_brr.exe
Token: SeShutdownPrivilege	3636	._cache_brr.exe
Token: SeDebugPrivilege	3636	._cache_brr.exe
Token: SeSystemEnvironmentPrivilege	3636	._cache_brr.exe
Token: SeRemoteShutdownPrivilege	3636	._cache_brr.exe
Token: SeUndockPrivilege	3636	._cache_brr.exe
Token: SeManageVolumePrivilege	3636	._cache_brr.exe
Token: 33	3636	._cache_brr.exe
Token: 34	3636	._cache_brr.exe
Token: 35	3636	._cache_brr.exe
Token: 36	3636	._cache_brr.exe
Token: SeIncreaseQuotaPrivilege	3636	._cache_brr.exe
Token: SeSecurityPrivilege	3636	._cache_brr.exe
Token: SeTakeOwnershipPrivilege	3636	._cache_brr.exe
Token: SeLoadDriverPrivilege	3636	._cache_brr.exe
Token: SeSystemProfilePrivilege	3636	._cache_brr.exe
Token: SeSystemtimePrivilege	3636	._cache_brr.exe
Token: SeProfSingleProcessPrivilege	3636	._cache_brr.exe
Token: SeIncBasePriorityPrivilege	3636	._cache_brr.exe
Token: SeCreatePagefilePrivilege	3636	._cache_brr.exe
Token: SeBackupPrivilege	3636	._cache_brr.exe
Token: SeRestorePrivilege	3636	._cache_brr.exe
Token: SeShutdownPrivilege	3636	._cache_brr.exe
Token: SeDebugPrivilege	3636	._cache_brr.exe
Token: SeSystemEnvironmentPrivilege	3636	._cache_brr.exe
Token: SeRemoteShutdownPrivilege	3636	._cache_brr.exe
Token: SeUndockPrivilege	3636	._cache_brr.exe
Token: SeManageVolumePrivilege	3636	._cache_brr.exe
Token: 33	3636	._cache_brr.exe
Token: 34	3636	._cache_brr.exe
Token: 35	3636	._cache_brr.exe
Token: 36	3636	._cache_brr.exe
Token: SeIncreaseQuotaPrivilege	4840	._cache_Synaptics.exe
Token: SeSecurityPrivilege	4840	._cache_Synaptics.exe
Token: SeTakeOwnershipPrivilege	4840	._cache_Synaptics.exe
Token: SeLoadDriverPrivilege	4840	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4840	._cache_Synaptics.exe
Token: SeSystemtimePrivilege	4840	._cache_Synaptics.exe
Token: SeProfSingleProcessPrivilege	4840	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	4840	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	4840	._cache_Synaptics.exe
Token: SeBackupPrivilege	4840	._cache_Synaptics.exe
Token: SeRestorePrivilege	4840	._cache_Synaptics.exe
Token: SeShutdownPrivilege	4840	._cache_Synaptics.exe
Token: SeDebugPrivilege	4840	._cache_Synaptics.exe
Token: SeSystemEnvironmentPrivilege	4840	._cache_Synaptics.exe
Token: SeRemoteShutdownPrivilege	4840	._cache_Synaptics.exe
Token: SeUndockPrivilege	4840	._cache_Synaptics.exe
Token: SeManageVolumePrivilege	4840	._cache_Synaptics.exe
Token: 33	4840	._cache_Synaptics.exe
Token: 34	4840	._cache_Synaptics.exe
Token: 35	4840	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE
3856	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3636	4764	brr.exe	86
PID 4764 wrote to memory of 3636	4764	brr.exe	86
PID 4764 wrote to memory of 4928	4764	brr.exe	87
PID 4764 wrote to memory of 4928	4764	brr.exe	87
PID 4764 wrote to memory of 4928	4764	brr.exe	87
PID 4928 wrote to memory of 4840	4928	Synaptics.exe	89
PID 4928 wrote to memory of 4840	4928	Synaptics.exe	89

C:\Users\Admin\AppData\Local\Temp\brr.exe
"C:\Users\Admin\AppData\Local\Temp\brr.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
827KB

MD5
92867f5de7d9de203c1f9f4781961863

SHA1
103fa7ef6a97862f568d410e7607e34f1c41da18

SHA256
4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8

SHA512
818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe

Filesize
74KB

MD5
05a780ca5b8f32b1fbbc0b8e0012247f

SHA1
518bbe68186667deda350cf3475bee4dee5e071c

SHA256
4b685783cf16a471b5c4b8c117e9b12ad37b590b521a003167eb3692c9b66df0

SHA512
4b52ec4a1dfb96fa5c6d4109c2bbc0d64ec130d5f52cca9ce947a3b371eb8a791c1b9687829f3fcb32946ebe8bdbf8055239c86a7b7e2c9bffa9256d74580243

Download Submit
C:\Users\Admin\AppData\Local\Temp\l56auaJA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/3636-194-0x00007FFA475F0000-0x00007FFA480B1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-70-0x00007FFA475F3000-0x00007FFA475F5000-memory.dmp

Filesize
8KB

Download
memory/3636-71-0x0000000000BD0000-0x0000000000BE8000-memory.dmp

Filesize
96KB

Download
memory/3636-134-0x00007FFA475F0000-0x00007FFA480B1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-201-0x00007FFA23960000-0x00007FFA23970000-memory.dmp

Filesize
64KB

Download
memory/3856-195-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

Filesize
64KB

Download
memory/3856-197-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

Filesize
64KB

Download
memory/3856-198-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

Filesize
64KB

Download
memory/3856-196-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

Filesize
64KB

Download
memory/3856-199-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

Filesize
64KB

Download
memory/3856-200-0x00007FFA23960000-0x00007FFA23970000-memory.dmp

Filesize
64KB

Download
memory/4764-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4764-131-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4928-202-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4928-216-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4928-247-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads