asyncrat | 5bbb7a91ebfa925b0765103006bdde91f19c648ae792fab9dbc73832f3b2423c

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10cec8dbe0d9c07290686b0b232d34eb.exe
Size

1.2MB
MD5

10cec8dbe0d9c07290686b0b232d34eb
SHA1

72a97a9f499ae90a3cf232f09d55a33f617bf388
SHA256

5bbb7a91ebfa925b0765103006bdde91f19c648ae792fab9dbc73832f3b2423c
SHA512

cc29b516f31b483dab161817a8ee15a9723b3e26d507b35878546c83ba23163450d06c9783cb2a03e83d37e5dc3c953760c657e210b40282ca8160297d71897e
SSDEEP

12288:GzZ/DSq5YIrpsK7p3ADr20z9Fc2DNaC5o1e5lWfcLRDDrWmp47CrK0yf8I9lwSVy:GzZnjKg3ADrO2paC5fgyRazWm0ylw7

Score

10^/10

asyncrat mini discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Mini

38.242.236.116:7707

38.242.236.116:8808

Mutex

AsyncMutex_coder

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Exclusively.pif

description pid process target process

PID 2976 created 3488 2976 Exclusively.pif Explorer.EXE
PID 2976 created 3488 2976 Exclusively.pif Explorer.EXE

description	pid	process	target process
PID 2976 created 3488	2976	Exclusively.pif	Explorer.EXE
PID 2976 created 3488	2976	Exclusively.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

10cec8dbe0d9c07290686b0b232d34eb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	10cec8dbe0d9c07290686b0b232d34eb.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Name.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Name.url	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

Exclusively.pifRegAsm.exe

pid process

2976 Exclusively.pif
4524 RegAsm.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1240 tasklist.exe
2292 tasklist.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1240	tasklist.exe
2292	tasklist.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tasklist.exefindstr.exechoice.exeRegAsm.exe10cec8dbe0d9c07290686b0b232d34eb.exefindstr.exetasklist.execmd.execmd.exeExclusively.pifcmd.execmd.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10cec8dbe0d9c07290686b0b232d34eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exclusively.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

Exclusively.pifRegAsm.exe

pid	process
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
2976	Exclusively.pif
4524	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1240 tasklist.exe
Token: SeDebugPrivilege 2292 tasklist.exe
Token: SeDebugPrivilege 4524 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Exclusively.pif

pid process

2976 Exclusively.pif
2976 Exclusively.pif
2976 Exclusively.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Exclusively.pif

pid process

2976 Exclusively.pif
2976 Exclusively.pif
2976 Exclusively.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

4524 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1240	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	4524	RegAsm.exe

pid	process
4524	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

10cec8dbe0d9c07290686b0b232d34eb.execmd.exeExclusively.pif

description	pid	process	target process
PID 3268 wrote to memory of 3044	3268	10cec8dbe0d9c07290686b0b232d34eb.exe	cmd.exe
PID 3268 wrote to memory of 3044	3268	10cec8dbe0d9c07290686b0b232d34eb.exe	cmd.exe
PID 3268 wrote to memory of 3044	3268	10cec8dbe0d9c07290686b0b232d34eb.exe	cmd.exe
PID 3044 wrote to memory of 1240	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 1240	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 1240	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 3116	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3116	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3116	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 2292	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 2292	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 2292	3044	cmd.exe	tasklist.exe
PID 3044 wrote to memory of 3972	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3972	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3972	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 1484	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 1484	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 1484	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 3612	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3612	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3612	3044	cmd.exe	findstr.exe
PID 3044 wrote to memory of 3600	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 3600	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 3600	3044	cmd.exe	cmd.exe
PID 3044 wrote to memory of 2976	3044	cmd.exe	Exclusively.pif
PID 3044 wrote to memory of 2976	3044	cmd.exe	Exclusively.pif
PID 3044 wrote to memory of 2976	3044	cmd.exe	Exclusively.pif
PID 3044 wrote to memory of 1452	3044	cmd.exe	choice.exe
PID 3044 wrote to memory of 1452	3044	cmd.exe	choice.exe
PID 3044 wrote to memory of 1452	3044	cmd.exe	choice.exe
PID 2976 wrote to memory of 4712	2976	Exclusively.pif	cmd.exe
PID 2976 wrote to memory of 4712	2976	Exclusively.pif	cmd.exe
PID 2976 wrote to memory of 4712	2976	Exclusively.pif	cmd.exe
PID 2976 wrote to memory of 4524	2976	Exclusively.pif	RegAsm.exe
PID 2976 wrote to memory of 4524	2976	Exclusively.pif	RegAsm.exe
PID 2976 wrote to memory of 4524	2976	Exclusively.pif	RegAsm.exe
PID 2976 wrote to memory of 4524	2976	Exclusively.pif	RegAsm.exe
PID 2976 wrote to memory of 4524	2976	Exclusively.pif	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\10cec8dbe0d9c07290686b0b232d34eb.exe
"C:\Users\Admin\AppData\Local\Temp\10cec8dbe0d9c07290686b0b232d34eb.exe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Compounds Compounds.cmd & Compounds.cmd & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:3116

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:3972

C:\Windows\SysWOW64\cmd.exe
cmd /c md 377629
4⤵
- System Location Discovery: System Language Discovery
PID:1484

C:\Windows\SysWOW64\findstr.exe
findstr /V "DependencePitDistinctionMagazine" Bill
4⤵
- System Location Discovery: System Language Discovery
PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Repair + ..\Transport + ..\Nightmare + ..\Preference Z
4⤵
- System Location Discovery: System Language Discovery
PID:3600

C:\Users\Admin\AppData\Local\Temp\377629\Exclusively.pif
Exclusively.pif Z
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
4⤵
- System Location Discovery: System Language Discovery
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Name.url" & echo URL="C:\Users\Admin\AppData\Local\Developer Company\Software Name.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Name.url" & exit
2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4712

C:\Users\Admin\AppData\Local\Temp\377629\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\377629\RegAsm.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\377629\Exclusively.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\377629\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\377629\Z

Filesize
319KB

MD5
61c8e4a53d862f4502cc3490538d0ddd

SHA1
ebd026715bfbdaf548295721e4b1833f92276a9c

SHA256
1a4bf99656a84777b586d32eec07af02915c9094f5834975a5090d0053437417

SHA512
3fa46734b0f38a21b6184279de72e71f2a57576dcf6f8560358fdbe375f03e09b393a25453f3356a0a36d21e7ddad19b5c67d150afd8b5db75187b08ae6a1136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bill

Filesize
852B

MD5
ca036c516501cfea40550f1dd2083ffb

SHA1
7b1e68da3ec098276139ff5e41f363f9358f2616

SHA256
f3a31c8e4ce6eb047e47b4440dde191e9af852f4bf8c4193d4f4789111a7c63a

SHA512
15cb00191cfc5c86e3b85db300d490dd6b5cf90508711fb1b3caedc683d2f37a4c045c50bb82303978898b4b199c8b045fa9ac72cd798d876b067f40dfc0c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compounds

Filesize
16KB

MD5
3bd8a78d4a3e3bffb56e7eaf6c3613e9

SHA1
f6e3cfa1bb9f305a7e61c764a983e7537375f579

SHA256
2cd4d6de3239d3d0d48914fabecb16ad45f1fc35b90dba727497a7cb8a414be3

SHA512
3365fb24d95e3ddf5997dda669f839e2638eca8ba81b5a2f1460264407459e06a45f5f942f47ab4434ae9c9af0097282edf535189c13a8c54a0524e140b2a9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Documentation

Filesize
871KB

MD5
f221b62d4242bcdc0727c980e67cf58e

SHA1
0ef3b0cf9e338a6b46e458e4aba6497398e9782e

SHA256
8bd58b752809bb00d2e8e273910ee043e34c1721992e0bd3b137c583e13ee721

SHA512
441ab774598140dea821e829f6b6e9223a00887c45285563993f71ea650f71b045fdbc27db06c130c005498267feec2ba65d00f6d877a31ad4aa59602a07a9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nightmare

Filesize
84KB

MD5
92f006c731a52a3b855143d8d4a31f2a

SHA1
6b76572331f76667e9150bec29c5436ab1ef2605

SHA256
90778fa8b8a5d40fd8348dee26d9e0f5a36be85836dc4ee58d44e005568a632a

SHA512
ff4ddd5a73d0edc2287e79b2402465593fd314223dc5150ecc47159cbe77d0d0d2cdef4c7796e0408544bc4ec02d6ad78426096b782a5619364c36210c001e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preference

Filesize
71KB

MD5
5cfa6e346271fdeb094ef2009994778a

SHA1
46a5446cf7a81d7dcdb75f0095a99333bc7ede4d

SHA256
c7f12dd667304cd4bd7ee219bfdbd0f970fa7873895dc25c35a100b40b2e4307

SHA512
fe8c4f4bc16040a84fb57998815d8b6e31047f1d41914fb3f09cdfab0d0049c33e98547d7c9b4517acf1c2950f146402a70c39d9db08c54e51712cdc31f8272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Repair

Filesize
74KB

MD5
a5831e66d4648c8878e3ed153c9863ae

SHA1
3cb7307921cfb41aa4173a41d99bfe55fc385d42

SHA256
bb2ce027ba72db7aa2feadc08554887e2a0f052f20b6306ae5e1cce71c369777

SHA512
91103650f3c8692c7bf2933e74274f25cc5d6138855a221b317c7fdc5b82fa58db7c9d68d9c18de848619d5a1871fc353ef5ad45321c1b15a8345e2cb4a79c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transport

Filesize
90KB

MD5
c1af02c60d4947b70ae5dfe315392839

SHA1
5d0ec6e27df5002cbeaf28a1bf7ee47eb9bb5e5e

SHA256
d33330032014952f17852d9d89cf8760a9f1cfaafc5dc3b945d0c5668b9410f8

SHA512
3cdd3c91862cde45e50500bb4144e4ff152aec7b652f5391202098ea84908ef6de0e12bb9a65230f1ce2e524b96345812a3267e08e57fe8ce791978defaea7ce

Download Submit
memory/4524-29-0x0000000001170000-0x0000000001186000-memory.dmp

Filesize
88KB

Download
memory/4524-32-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/4524-33-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/4524-34-0x0000000006510000-0x00000000065AC000-memory.dmp

Filesize
624KB

Download
memory/4524-35-0x0000000006640000-0x00000000066A6000-memory.dmp

Filesize
408KB

Download
memory/4524-36-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download