asyncrat | 8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
Size

9.0MB
MD5

770e86de8a842438158eb5df1839ff84
SHA1

eec33c6b88cd140973e60d7b99bb5c93daa07e7c
SHA256

8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6
SHA512

be8371146d32a01a17366faf8e3eb8f90966b352e06954bafc061b55a1909637d189d91492068d81a971b8059ae8b83bd3c67b9230e2d9a8c515af29c8d3a0d6
SSDEEP

196608:LtsxbAQvatwq+ZkiKDIKx0vGkNWehyzGVzzePCw29uWZeEn2o2Lz9QhS0:+xvaaq+ZkFVx0OhayzWX6JjlE2lLhQE

Score

10^/10

asyncrat cobaltstrike default backdoor discovery rat trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.158.128:80/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

asyncrat

Botnet

Default

143.92.57.11:2048

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4616-52-0x0000023FEF7F0000-0x0000023FEF806000-memory.dmp	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
1264	qd.exe
3124	updata.exe
4616	updata.exe

Loads dropped DLL 6 IoCs

pid	Process
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qd.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1
HTTP User-Agent header	14	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	updata.exe
Token: SeDebugPrivilege	3124	updata.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 864	3236	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	82
PID 3236 wrote to memory of 864	3236	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	82
PID 864 wrote to memory of 3472	864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	83
PID 864 wrote to memory of 3472	864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	83
PID 864 wrote to memory of 3008	864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	84
PID 864 wrote to memory of 3008	864	8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe	84
PID 3008 wrote to memory of 1264	3008	cmd.exe	87
PID 3008 wrote to memory of 1264	3008	cmd.exe	87
PID 3008 wrote to memory of 1264	3008	cmd.exe	87
PID 3472 wrote to memory of 3124	3472	cmd.exe	88
PID 3472 wrote to memory of 3124	3472	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
"C:\Users\Admin\AppData\Local\Temp\8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe
  "C:\Users\Admin\AppData\Local\Temp\8254f85ef0146f11e0071b9048ec3fdedc3113fbe2f40a7b6f9acc62cdfe56a6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\updata.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Roaming\updata.exe
      C:\Users\Admin\AppData\Roaming\updata.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\qd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\qd.exe
      C:\Users\Admin\AppData\Local\Temp\qd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1264

C:\Users\Admin\AppData\Roaming\updata.exe
C:\Users\Admin\AppData\Roaming\updata.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32362\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_decimal.pyd

Filesize
246KB

MD5
709613d7d7bc30abdaee015c331664b6

SHA1
84278fd8acc53c50b4e2ffa3f47b9ddad7dd7a70

SHA256
8600cae4f34cc64c406198e19539d0d4f5a574fc60b32b8aa8f32fd64c981da5

SHA512
4eb48bbcdf7cd9ebb9909e5269d4663bf14906a282a1f1418cc7e137f2be1c792019d78446d4d8bea63024cbf01bec14e28633d6e4ebbd85d7d074b948cab211

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\base_library.zip

Filesize
859KB

MD5
85a0e3e1aa4940e31f3fc332997e10ad

SHA1
2ee0290116ec9ba908bc7376fcba2ecd925d530d

SHA256
6600ef7161a5acf7c4cf05f46373d6551e2963f3383499a69b553994c30b13bd

SHA512
d4f1cf64549f8443c7d84999c402056bd630aef08c818c1a39632cba32326c3c725f4846a92118987694c7b3f7bbcad0ed044e09bc788644e08498229c420c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\qd.exe

Filesize
11KB

MD5
9d9f6839e1134b2079ced33f535b832d

SHA1
fe5289605e2275455000ac4aa1a6242002062c41

SHA256
63957011b971f6b48e940a30e8c754b458e8e3b4e2d1e81375b2bc18135fb085

SHA512
3699a89e0ffeb3967a2af0741dff66c0d053cff5de0d19f4a0c2d7f1cdc701b4595bb0b9f7a5bf690071dfb5c049e904d98034dce5c2be48f08cc4f516347629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32362\updata.exe

Filesize
6.5MB

MD5
5f71e018ec18523b75f12eb82d4b5f87

SHA1
a8c438332102873d1841dac647626ceaa166ba5d

SHA256
b15decc1c34b4351acd072a7c908a6a857d71670d1f0942f30fd502c7ad1791a

SHA512
1037d4da3594d639c9ec0a3bac27a8d054763b32dc28e390894d2db6f2354e79cadc1b926e9f6636d65ef654bfe4b8a3038fecc8ca6b010aae8f68a72d6b6b49

Download Submit
memory/1264-47-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/1264-48-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/4616-51-0x0000023FEDF50000-0x0000023FEDF65000-memory.dmp

Filesize
84KB

Download
memory/4616-52-0x0000023FEF7F0000-0x0000023FEF806000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads