asyncrat | d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31b

General

Target

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
Size

4.0MB
MD5

0bca1c34f121425ad181097f4401aa00
SHA1

b2450a936001d83c5029df4933b26d9b1732fc9c
SHA256

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31b
SHA512

86b9beb0001553f9b898bc9ba130e39949642ae3d027b7fefc6f3252002ab62679de4f6eb70d00555b43f8131b3480821b3fc182f374fc53a479117140407340
SSDEEP

12288:jiG3ngP7iw2yTRruvLG2b2iGDMiGDiLuL:X3gTqURCqlDIDe

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

154.216.17.155:8808

154.216.17.155:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
45
install
true
install_file
vscr.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\vscr.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe

Executes dropped EXE 1 IoCs

Processes:

vscr.exe

pid process

2164 vscr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2164	vscr.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.execmd.execmd.exeschtasks.exetimeout.exevscr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vscr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4908 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3360 schtasks.exe

pid	process
4908	timeout.exe

pid	process
3360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe

pid	process
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exevscr.exe

description	pid	process
Token: SeDebugPrivilege	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
Token: SeDebugPrivilege	2164	vscr.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.execmd.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 1272	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 636 wrote to memory of 1272	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 636 wrote to memory of 1272	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 636 wrote to memory of 2400	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 636 wrote to memory of 2400	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 636 wrote to memory of 2400	636	d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe	cmd.exe
PID 1272 wrote to memory of 3360	1272	cmd.exe	schtasks.exe
PID 1272 wrote to memory of 3360	1272	cmd.exe	schtasks.exe
PID 1272 wrote to memory of 3360	1272	cmd.exe	schtasks.exe
PID 2400 wrote to memory of 4908	2400	cmd.exe	timeout.exe
PID 2400 wrote to memory of 4908	2400	cmd.exe	timeout.exe
PID 2400 wrote to memory of 4908	2400	cmd.exe	timeout.exe
PID 2400 wrote to memory of 2164	2400	cmd.exe	vscr.exe
PID 2400 wrote to memory of 2164	2400	cmd.exe	vscr.exe
PID 2400 wrote to memory of 2164	2400	cmd.exe	vscr.exe

C:\Users\Admin\AppData\Local\Temp\d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe
"C:\Users\Admin\AppData\Local\Temp\d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vscr" /tr '"C:\Users\Admin\AppData\Roaming\vscr.exe"' & exit
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "vscr" /tr '"C:\Users\Admin\AppData\Roaming\vscr.exe"'
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5743.tmp.bat""
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4908

C:\Users\Admin\AppData\Roaming\vscr.exe
"C:\Users\Admin\AppData\Roaming\vscr.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5743.tmp.bat

Filesize
148B

MD5
9a3d2ba34a77b58972e20e90cb86fdc3

SHA1
01d1194b2166078c034cb7107f8f3ed8e498159c

SHA256
2737dfab2f8816ae063e43fd0170cc86d2d31c609da7d372eb12469c55483286

SHA512
fbee035f1e827add5964325b4c9a3ffe3f72baaaebacb1aea818d83795c048d757805598598a27d1b98a8c2c73dd4ab0b6856a0b569601f9483733925d603ef5

Download Submit
C:\Users\Admin\AppData\Roaming\vscr.exe

Filesize
4.0MB

MD5
0bca1c34f121425ad181097f4401aa00

SHA1
b2450a936001d83c5029df4933b26d9b1732fc9c

SHA256
d995f4f7da717e21da338606f0ca494c6ad920b261114fb965be06d1fd1ad31b

SHA512
86b9beb0001553f9b898bc9ba130e39949642ae3d027b7fefc6f3252002ab62679de4f6eb70d00555b43f8131b3480821b3fc182f374fc53a479117140407340

Download Submit
memory/636-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/636-1-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/636-2-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/636-3-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/636-4-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/636-5-0x0000000005C20000-0x0000000005CBC000-memory.dmp

Filesize
624KB

Download
memory/636-10-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2164-15-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/2164-16-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads