asyncrat | 93e9e60b2642385ba3972dde3db83f404ede759b98e85465e962b040a81920af

General

Target

c89f06207619b46aff5d7d3824f315d0N.exe
Size

40KB
MD5

c89f06207619b46aff5d7d3824f315d0
SHA1

e5253820c444920bc4ab49f67a50a65c0e725e67
SHA256

93e9e60b2642385ba3972dde3db83f404ede759b98e85465e962b040a81920af
SHA512

edba8543774ed2c22796adb41b02228ea7c33dac0c877f4274cac8553a5e08d1d41c45c3738f975e55f1b8ffb92c23ce27dc274a2ecf6abb9860ea6dd0617650
SSDEEP

768:BWRs92Ry5MfORJRRoQMq0X/eVgqGHBVlC1kqECUV8ix:QRwzmWRnjq3lbCqx

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

http://rconhomne.ddns.net/:6606

http://rconhomne.ddns.net/:7707

http://rconhomne.ddns.net/:8808

Mutex

INto6wUrRcnC

Attributes

delay
60
install
true
install_file
$77system.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/900-2-0x00000000003C0000-0x00000000003D2000-memory.dmp	family_asyncrat
behavioral1/memory/2116-19-0x00000000001E0000-0x00000000001F2000-memory.dmp	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2116	$77system.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c89f06207619b46aff5d7d3824f315d0N.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1664	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
900	c89f06207619b46aff5d7d3824f315d0N.exe
900	c89f06207619b46aff5d7d3824f315d0N.exe
900	c89f06207619b46aff5d7d3824f315d0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	c89f06207619b46aff5d7d3824f315d0N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2688	900	c89f06207619b46aff5d7d3824f315d0N.exe	32
PID 900 wrote to memory of 2688	900	c89f06207619b46aff5d7d3824f315d0N.exe	32
PID 900 wrote to memory of 2688	900	c89f06207619b46aff5d7d3824f315d0N.exe	32
PID 900 wrote to memory of 2688	900	c89f06207619b46aff5d7d3824f315d0N.exe	32
PID 900 wrote to memory of 1192	900	c89f06207619b46aff5d7d3824f315d0N.exe	34
PID 900 wrote to memory of 1192	900	c89f06207619b46aff5d7d3824f315d0N.exe	34
PID 900 wrote to memory of 1192	900	c89f06207619b46aff5d7d3824f315d0N.exe	34
PID 900 wrote to memory of 1192	900	c89f06207619b46aff5d7d3824f315d0N.exe	34
PID 2688 wrote to memory of 1724	2688	cmd.exe	36
PID 2688 wrote to memory of 1724	2688	cmd.exe	36
PID 2688 wrote to memory of 1724	2688	cmd.exe	36
PID 2688 wrote to memory of 1724	2688	cmd.exe	36
PID 1192 wrote to memory of 1664	1192	cmd.exe	37
PID 1192 wrote to memory of 1664	1192	cmd.exe	37
PID 1192 wrote to memory of 1664	1192	cmd.exe	37
PID 1192 wrote to memory of 1664	1192	cmd.exe	37
PID 1192 wrote to memory of 2116	1192	cmd.exe	38
PID 1192 wrote to memory of 2116	1192	cmd.exe	38
PID 1192 wrote to memory of 2116	1192	cmd.exe	38
PID 1192 wrote to memory of 2116	1192	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\c89f06207619b46aff5d7d3824f315d0N.exe
"C:\Users\Admin\AppData\Local\Temp\c89f06207619b46aff5d7d3824f315d0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77system" /tr '"C:\Users\Admin\AppData\Roaming\$77system.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "$77system" /tr '"C:\Users\Admin\AppData\Roaming\$77system.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA15.tmp.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1664
- - C:\Users\Admin\AppData\Roaming\$77system.exe
    "C:\Users\Admin\AppData\Roaming\$77system.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA15.tmp.bat

Filesize
153B

MD5
451761ea69d4187332654774d6a7c0bc

SHA1
d93bf5020d60af6f6dce132f3ac05bf4ee4c836b

SHA256
ffa946ec9e371095e34c75a2778bc00525d609f8c9b3ec00688fa713ef24c2d4

SHA512
83c4ca1cca77ab4b7e379fa69149a121756dd0ba8ad3f120955ee4fea7b72f2714459017cf28dab195749bc6dd5d03dac1da4e4d334f09eb63523e7f535f2e7e

Download Submit
\Users\Admin\AppData\Roaming\$77system.exe

Filesize
40KB

MD5
c89f06207619b46aff5d7d3824f315d0

SHA1
e5253820c444920bc4ab49f67a50a65c0e725e67

SHA256
93e9e60b2642385ba3972dde3db83f404ede759b98e85465e962b040a81920af

SHA512
edba8543774ed2c22796adb41b02228ea7c33dac0c877f4274cac8553a5e08d1d41c45c3738f975e55f1b8ffb92c23ce27dc274a2ecf6abb9860ea6dd0617650

Download Submit
memory/900-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/900-1-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/900-2-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/900-3-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/900-4-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/900-14-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-18-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/2116-19-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads