asyncrat | 7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

26-09-2024 06:42

240926-hgnp9ashkk 10

25-09-2024 16:40

240925-t6kwfayfph 10

Analysis

max time kernel
151s
max time network
52s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Size

46KB
MD5

ceef7b8296b733da0be864ccdf41ce77
SHA1

c66de07f66ace03ef1e140c8e46525c27df94b04
SHA256

5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
SHA512

62241a9b37933edd4c751316c9cc8a8b195766d81baab7d5b2ef3a532c464e6d76fe9d781ac94c1aff587052a3d9e18478e509e51313656bc2db2b38df792c70
SSDEEP

768:vqdwSbXx6csbXkOicvHk3eHlWMPbPgF0qybI6QolYI6OCC2tYcFmVc6K:vJbXXvZH0ub4FrybI6Qm6OnKmVcl

Score

10^/10

asyncrat null rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

sam144169-56334.portmap.io:56334

sam144169-56334.portmap.io:5552

sam144169-56334.portmap.io:5050

webforma.chickenkiller.com:56334

webforma.chickenkiller.com:5552

webforma.chickenkiller.com:5050

webdata.ddns.net:56334

webdata.ddns.net:5552

webdata.ddns.net:5050

Mutex

xOUgFqeTTggB

Attributes

delay
5
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2804 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2936 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2852 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HEUR-Backdoor.MSIL.Crysan.exesvchost.exe

pid process

664 HEUR-Backdoor.MSIL.Crysan.exe
2804 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HEUR-Backdoor.MSIL.Crysan.exesvchost.exe

description pid process

Token: SeDebugPrivilege 664 HEUR-Backdoor.MSIL.Crysan.exe
Token: SeDebugPrivilege 2804 svchost.exe

pid	process
2804	svchost.exe

pid	process
2936	timeout.exe

pid	process
2852	schtasks.exe

pid	process
664	HEUR-Backdoor.MSIL.Crysan.exe
2804	svchost.exe

description	pid	process
Token: SeDebugPrivilege	664	HEUR-Backdoor.MSIL.Crysan.exe
Token: SeDebugPrivilege	2804	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HEUR-Backdoor.MSIL.Crysan.execmd.exe

description	pid	process	target process
PID 664 wrote to memory of 2852	664	HEUR-Backdoor.MSIL.Crysan.exe	schtasks.exe
PID 664 wrote to memory of 2852	664	HEUR-Backdoor.MSIL.Crysan.exe	schtasks.exe
PID 664 wrote to memory of 2852	664	HEUR-Backdoor.MSIL.Crysan.exe	schtasks.exe
PID 664 wrote to memory of 2968	664	HEUR-Backdoor.MSIL.Crysan.exe	cmd.exe
PID 664 wrote to memory of 2968	664	HEUR-Backdoor.MSIL.Crysan.exe	cmd.exe
PID 664 wrote to memory of 2968	664	HEUR-Backdoor.MSIL.Crysan.exe	cmd.exe
PID 2968 wrote to memory of 2936	2968	cmd.exe	timeout.exe
PID 2968 wrote to memory of 2936	2968	cmd.exe	timeout.exe
PID 2968 wrote to memory of 2936	2968	cmd.exe	timeout.exe
PID 2968 wrote to memory of 2804	2968	cmd.exe	svchost.exe
PID 2968 wrote to memory of 2804	2968	cmd.exe	svchost.exe
PID 2968 wrote to memory of 2804	2968	cmd.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Crysan.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Crysan.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'svchost"' /tr "'C:\Users\Admin\AppData\Roaming\svchost.exe"'
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2936
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.bat

Filesize
151B

MD5
e388c3c8ca2da09843f419c5d4748f4f

SHA1
9d7b95a66ba537ba01af5e5cb84d234a4442cbfb

SHA256
df4ee3a0a90dc847358bef9f33cf6d5dfa71e90d711bbd260f8ad0ed93934133

SHA512
45231d9de5f201b501f8eb93c7c75d00c9a30335a58005172d825042c01501e3d68c6513911f610497420b0ccadc945fac8f98f32d2d58d440f4c7c332e90416

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
48.3MB

MD5
d8bff49450fa4f3345f04d1e10f8c295

SHA1
b9a3873d0d9c59c7796d75391425e9d8fff2728d

SHA256
36e199c619f467417fa7e81023fe697bc58b87c35c301bbc86b78d20643384bb

SHA512
fd7df914ba74003ecf85cb110342c35374ade9787e301cf6e01d74a2908a3183f708caba82e21e816838f85d5efda5e9c1a013a256a2faa5fe5cb5ef211533b7

Download Submit
memory/664-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/664-1-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/664-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/664-3-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/664-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/664-14-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-18-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download