asyncrat | 73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4

General

Target

73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe
Size

63KB
MD5

d1dcb18f3781186a95bf7f9c084ae511
SHA1

140678a6122aea97d305499a806448098851dbbd
SHA256

73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4
SHA512

e17810dbff395e79295cbef9c1d66000475302305386416651b08152b74f188ca39cac3f7715b2a0a34963c075716521553115ecdcd42c3bd52d56365feafb72
SSDEEP

1536:y62ZBFzTkF7YUbrh9d58mMEugdpqKmY7:y62FzgJYUbrqyGz

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

production-loading.gl.at.ply.gg:48573

Attributes

delay
1
install
true
install_file
svcohost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svcohost.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

svcohost.exe

pid process

2708 svcohost.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2744 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2752 schtasks.exe

pid	process
2708	svcohost.exe

pid	process
2744	timeout.exe

pid	process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe

pid	process
2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe
2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe
2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exesvcohost.exe

description	pid	process
Token: SeDebugPrivilege	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe
Token: SeDebugPrivilege	2708	svcohost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.execmd.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 1592	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 2528 wrote to memory of 1592	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 2528 wrote to memory of 1592	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 2528 wrote to memory of 3032	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 2528 wrote to memory of 3032	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 2528 wrote to memory of 3032	2528	73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe	cmd.exe
PID 3032 wrote to memory of 2744	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 2744	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 2744	3032	cmd.exe	timeout.exe
PID 1592 wrote to memory of 2752	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 2752	1592	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 2752	1592	cmd.exe	schtasks.exe
PID 3032 wrote to memory of 2708	3032	cmd.exe	svcohost.exe
PID 3032 wrote to memory of 2708	3032	cmd.exe	svcohost.exe
PID 3032 wrote to memory of 2708	3032	cmd.exe	svcohost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe
"C:\Users\Admin\AppData\Local\Temp\73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svcohost" /tr '"C:\Users\Admin\AppData\Roaming\svcohost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svcohost" /tr '"C:\Users\Admin\AppData\Roaming\svcohost.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC37.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2744

C:\Users\Admin\AppData\Roaming\svcohost.exe
"C:\Users\Admin\AppData\Roaming\svcohost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAC37.tmp.bat

Filesize
152B

MD5
0d22f38a6920b01cc864aa9855f243d0

SHA1
7f54c13dd52da6d4ecfe0b995c3559d3eb69e89d

SHA256
7c9f3d19153fd3f5ab0fb0a7ad6f6348491c97c22f725d83df26337a745b4012

SHA512
c77dee52fdab22d1744f0ccd73160a3f55f9c524b2eacf8cfb01000aabf487ff561a4ae0d21ed877403a527e2bea182b35d8d3e2af26e906f2959a3ac0660962

Download Submit
C:\Users\Admin\AppData\Roaming\svcohost.exe

Filesize
63KB

MD5
d1dcb18f3781186a95bf7f9c084ae511

SHA1
140678a6122aea97d305499a806448098851dbbd

SHA256
73732a9e253c1f80825b9fb8ea5fcded94907e6368d6d0b28ea5f45ade729ab4

SHA512
e17810dbff395e79295cbef9c1d66000475302305386416651b08152b74f188ca39cac3f7715b2a0a34963c075716521553115ecdcd42c3bd52d56365feafb72

Download Submit
memory/2528-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2528-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/2528-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-11-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-12-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-18-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-17-0x0000000001200000-0x0000000001216000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads