asyncrat | 0429ded8b46f1ce83217e9a7c4068b36c093d432158f8234fdb8bacdad87511b

General

Target

Main.exe
Size

58KB
MD5

2ee7452d65eff7d6baf5f4798295c649
SHA1

cd303cf57ec43b721089b32f633a2c0525f510af
SHA256

0429ded8b46f1ce83217e9a7c4068b36c093d432158f8234fdb8bacdad87511b
SHA512

18358173371e1a655138f9a1aa2ceb6ab047043ad6f5ff4ca82b138dbf3fa0c4d3892a5dfe09c224ab50f7ee3be807f038aea20d5891fcf34efed852cfd7d684
SSDEEP

1536:rEK62SSTTFBfmEJSbldUkgqjry/XAFzf+:gKt5BXSbl0Wr2XAJm

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

SuperBoo Rat v1.1

Botnet

Default

C2

week-dictionary.gl.at.ply.gg:12466

Mutex

SuperBoo_mtex_920393

Attributes

delay
3
install
true
install_file
PowerShell.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\PowerShell.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

PowerShell.exe

pid process

2540 PowerShell.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2700 cmd.exe
2612 WerFault.exe
2612 WerFault.exe
2612 WerFault.exe
2612 WerFault.exe
2612 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2612 2540 WerFault.exe PowerShell.exe

pid	process
2540	PowerShell.exe

pid	process
2700	cmd.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

pid	pid_target	process	target process
2612	2540	WerFault.exe	PowerShell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

timeout.exePowerShell.exeMain.execmd.execmd.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2408 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2560 schtasks.exe

pid	process
2408	timeout.exe

pid	process
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Main.exePowerShell.exe

pid	process
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
3028	Main.exe
2540	PowerShell.exe
2540	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Main.exePowerShell.exe

description pid process

Token: SeDebugPrivilege 3028 Main.exe
Token: SeDebugPrivilege 2540 PowerShell.exe

description	pid	process
Token: SeDebugPrivilege	3028	Main.exe
Token: SeDebugPrivilege	2540	PowerShell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Main.execmd.execmd.exePowerShell.exe

description	pid	process	target process
PID 3028 wrote to memory of 2688	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2700	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2700	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2700	3028	Main.exe	cmd.exe
PID 3028 wrote to memory of 2700	3028	Main.exe	cmd.exe
PID 2688 wrote to memory of 2560	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2560	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2560	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2560	2688	cmd.exe	schtasks.exe
PID 2700 wrote to memory of 2408	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2408	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2408	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2408	2700	cmd.exe	timeout.exe
PID 2700 wrote to memory of 2540	2700	cmd.exe	PowerShell.exe
PID 2700 wrote to memory of 2540	2700	cmd.exe	PowerShell.exe
PID 2700 wrote to memory of 2540	2700	cmd.exe	PowerShell.exe
PID 2700 wrote to memory of 2540	2700	cmd.exe	PowerShell.exe
PID 2540 wrote to memory of 2612	2540	PowerShell.exe	WerFault.exe
PID 2540 wrote to memory of 2612	2540	PowerShell.exe	WerFault.exe
PID 2540 wrote to memory of 2612	2540	PowerShell.exe	WerFault.exe
PID 2540 wrote to memory of 2612	2540	PowerShell.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Main.exe
"C:\Users\Admin\AppData\Local\Temp\Main.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "PowerShell" /tr '"C:\Users\Admin\AppData\Roaming\PowerShell.exe"' & exit
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "PowerShell" /tr '"C:\Users\Admin\AppData\Roaming\PowerShell.exe"'
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C18.tmp.bat""
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2408

C:\Users\Admin\AppData\Roaming\PowerShell.exe
"C:\Users\Admin\AppData\Roaming\PowerShell.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 540
4⤵
- Loads dropped DLL
- Program crash
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C18.tmp.bat

Filesize
154B

MD5
1a4350d6a3d03eae793dd600e5f3369c

SHA1
0a87481af1348c95283b19cf407fd30bca750f65

SHA256
8e0834623da998b1baaa160e02963ec79a7f326f9c9bd48b7015b103d6f149d6

SHA512
48a09f1978f4746de5d8bc7a06f5a81b9d9e344efdd4177b7377e54f613da1224ac5416bc2f1e218fe4ba3d8046d8952ab5d54ea528bfe338a6ede704c235582

Download Submit
\Users\Admin\AppData\Roaming\PowerShell.exe

Filesize
58KB

MD5
2ee7452d65eff7d6baf5f4798295c649

SHA1
cd303cf57ec43b721089b32f633a2c0525f510af

SHA256
0429ded8b46f1ce83217e9a7c4068b36c093d432158f8234fdb8bacdad87511b

SHA512
18358173371e1a655138f9a1aa2ceb6ab047043ad6f5ff4ca82b138dbf3fa0c4d3892a5dfe09c224ab50f7ee3be807f038aea20d5891fcf34efed852cfd7d684

Download Submit
memory/2540-16-0x0000000000B60000-0x0000000000B74000-memory.dmp

Filesize
80KB

Download
memory/3028-0-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/3028-2-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-11-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads