asyncrat | a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed

General

Target

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
Size

258KB
MD5

c8ec3f5a2c12207a4783fd6104d02e3a
SHA1

cd75c093ccaa40eac3d136f323adc1ae39ff0b8e
SHA256

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed
SHA512

cdfb1defdebfa609588a219dff39fd509901216182bb53e91abc6e32b6c9dd9b519576671962eeb38dde0d6de0c236ad8508ad90d91b7057f2a5a21cc2b64431
SSDEEP

6144:Xau1waoDb5akFjmNCuZWyfMoilBfrBs7orgSTUWI:Ku6aKFaguZW1oyNFgSTUr

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.216.17.207:7707

154.216.17.207:8808

154.216.17.207:1188

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
100
install
true
install_file
file.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

Executes dropped EXE 3 IoCs

Processes:

file.exefile.exefile.exe

pid process

1736 file.exe
4424 file.exe
4864 file.exe

pid	process
1736	file.exe
4424	file.exe
4864	file.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exefile.exe

description	pid	process	target process
PID 3220 set thread context of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 set thread context of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 1736 set thread context of 4424	1736	file.exe	file.exe
PID 1736 set thread context of 4864	1736	file.exe	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exefile.exea507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.execmd.execmd.exeschtasks.exetimeout.exefile.exefile.exea507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

436 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1004 schtasks.exe

pid	process
436	timeout.exe

pid	process
1004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

pid	process
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exea507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exefile.exe

description	pid	process
Token: SeDebugPrivilege	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
Token: SeDebugPrivilege	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
Token: SeDebugPrivilege	1736	file.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exea507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.execmd.execmd.exefile.exe

description	pid	process	target process
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 916	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 3220 wrote to memory of 2828	3220	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
PID 916 wrote to memory of 1812	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 916 wrote to memory of 1812	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 916 wrote to memory of 1812	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 916 wrote to memory of 4300	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 916 wrote to memory of 4300	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 916 wrote to memory of 4300	916	a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe	cmd.exe
PID 1812 wrote to memory of 1004	1812	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 1004	1812	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 1004	1812	cmd.exe	schtasks.exe
PID 4300 wrote to memory of 436	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 436	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 436	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 1736	4300	cmd.exe	file.exe
PID 4300 wrote to memory of 1736	4300	cmd.exe	file.exe
PID 4300 wrote to memory of 1736	4300	cmd.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4424	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe
PID 1736 wrote to memory of 4864	1736	file.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
"C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "file" /tr '"C:\Users\Admin\AppData\Roaming\file.exe"'
4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.bat""
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:436

C:\Users\Admin\AppData\Roaming\file.exe
"C:\Users\Admin\AppData\Roaming\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\file.exe
C:\Users\Admin\AppData\Roaming\file.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424

C:\Users\Admin\AppData\Roaming\file.exe
C:\Users\Admin\AppData\Roaming\file.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864

C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
C:\Users\Admin\AppData\Local\Temp\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe
2⤵
- System Location Discovery: System Language Discovery
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.bat

Filesize
148B

MD5
5748ad83eee49c15642345c2861ec942

SHA1
0a6bbb899d318535aa9aff2cf0f0c23772be06af

SHA256
d70378dc72b1b7a7cec2d8bc909f7a595a65c8b922e3fb9c1b0797409fe8b30a

SHA512
0a7ec1176e13cf9871b76ab357f8da2640e47a950e366c6c45f8b2fd037d3e3c208cc282ca487c2247c7b8cd3949af9315da73655a39e5f88b1a21e655b2bdab

Download Submit
C:\Users\Admin\AppData\Roaming\file.exe

Filesize
258KB

MD5
c8ec3f5a2c12207a4783fd6104d02e3a

SHA1
cd75c093ccaa40eac3d136f323adc1ae39ff0b8e

SHA256
a507c03e0b88aee3b3ad83f5ad5302b93bdea090e352357bee2e9220164113ed

SHA512
cdfb1defdebfa609588a219dff39fd509901216182bb53e91abc6e32b6c9dd9b519576671962eeb38dde0d6de0c236ad8508ad90d91b7057f2a5a21cc2b64431

Download Submit
memory/916-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/916-25-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/916-20-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/916-18-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/916-15-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/916-12-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2828-17-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2828-16-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2828-13-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2828-21-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3220-7-0x0000000007050000-0x00000000070E2000-memory.dmp

Filesize
584KB

Download
memory/3220-8-0x0000000006EB0000-0x0000000006EB6000-memory.dmp

Filesize
24KB

Download
memory/3220-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/3220-6-0x0000000007560000-0x0000000007B04000-memory.dmp

Filesize
5.6MB

Download
memory/3220-5-0x0000000006F10000-0x0000000006FAC000-memory.dmp

Filesize
624KB

Download
memory/3220-4-0x0000000006E30000-0x0000000006E70000-memory.dmp

Filesize
256KB

Download
memory/3220-14-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3220-3-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/3220-2-0x0000000004900000-0x0000000004906000-memory.dmp

Filesize
24KB

Download
memory/3220-1-0x0000000000110000-0x000000000015A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads