asyncrat | dfdc2fed5aaa08a7b0f14ae911ec5da176a96e1a5353a7c312d00e1f44f78800

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

java.exe
Size

93KB
MD5

36d33dc25fa18b77948d029663b75781
SHA1

b4efc91e408c6cc9cb9eca0a2ec65e8fb5cd88ea
SHA256

dfdc2fed5aaa08a7b0f14ae911ec5da176a96e1a5353a7c312d00e1f44f78800
SHA512

838731679e67da9d3a2cf14b85b3bf633d060fb2e9da170847a321a13183e8595db218e5e14f93aa8a63ede693a709c844e47bc14be658fe21af6c5de69bf51b
SSDEEP

1536:r2Dn+b6wTbwD8UbFh9FEiMSubs7qjh3rmKPNkhpqKmY7:r1bT68UbFSiMPTjZqMNkaz

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

furniture-worried.gl.at.ply.gg:34886:1488

Attributes

delay
1
install
true
install_file
Java.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000300000002327a-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 1 IoCs

pid	Process
3048	Java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3068	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
2928	java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe
3048	Java.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	java.exe
Token: SeDebugPrivilege	2928	java.exe
Token: SeDebugPrivilege	3048	Java.exe
Token: SeDebugPrivilege	3048	Java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4456	2928	java.exe	88
PID 2928 wrote to memory of 4456	2928	java.exe	88
PID 2928 wrote to memory of 4528	2928	java.exe	89
PID 2928 wrote to memory of 4528	2928	java.exe	89
PID 4528 wrote to memory of 3068	4528	cmd.exe	92
PID 4528 wrote to memory of 3068	4528	cmd.exe	92
PID 4456 wrote to memory of 2748	4456	cmd.exe	93
PID 4456 wrote to memory of 2748	4456	cmd.exe	93
PID 4528 wrote to memory of 3048	4528	cmd.exe	97
PID 4528 wrote to memory of 3048	4528	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\java.exe
"C:\Users\Admin\AppData\Local\Temp\java.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Java" /tr '"C:\Users\Admin\AppData\Roaming\Java.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Java" /tr '"C:\Users\Admin\AppData\Roaming\Java.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3068
- - C:\Users\Admin\AppData\Roaming\Java.exe
    "C:\Users\Admin\AppData\Roaming\Java.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Java.exe.log

Filesize
871B

MD5
d58f949aad7df2e7b55248bfdfc6e1b8

SHA1
6713cad396b5808b66ede2dd9b169e00d5e5018f

SHA256
5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

SHA512
bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.bat

Filesize
148B

MD5
84d0671801a9269126291d82a3a16340

SHA1
e9a29b8265e5e74ca33a96a1c47533041a8ba5ac

SHA256
fa0528f7585f820277e363f03253beaa5a67eee7e213357e5610981b704234bd

SHA512
3bf95df75c5397ccab98b7d2843e002ca48d45e8bce496c027e4750af0ab8ee0c253a42ed2ecf248ff1895399687adb17f2d5805874d13920289a5b12b999339

Download Submit
C:\Users\Admin\AppData\Roaming\Java.exe

Filesize
93KB

MD5
36d33dc25fa18b77948d029663b75781

SHA1
b4efc91e408c6cc9cb9eca0a2ec65e8fb5cd88ea

SHA256
dfdc2fed5aaa08a7b0f14ae911ec5da176a96e1a5353a7c312d00e1f44f78800

SHA512
838731679e67da9d3a2cf14b85b3bf633d060fb2e9da170847a321a13183e8595db218e5e14f93aa8a63ede693a709c844e47bc14be658fe21af6c5de69bf51b

Download Submit
memory/2928-0-0x00007FFFDEE53000-0x00007FFFDEE55000-memory.dmp

Filesize
8KB

Download
memory/2928-1-0x0000000000A80000-0x0000000000A9E000-memory.dmp

Filesize
120KB

Download
memory/2928-2-0x00007FFFDEE50000-0x00007FFFDF911000-memory.dmp

Filesize
10.8MB

Download
memory/2928-8-0x00007FFFDEE50000-0x00007FFFDF911000-memory.dmp

Filesize
10.8MB

Download
memory/2928-7-0x00007FFFDEE50000-0x00007FFFDF911000-memory.dmp

Filesize
10.8MB

Download