asyncrat | 406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70

General

Target

406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe
Size

63KB
MD5

6de5e8e61de16af71ce14a2d3fa1f850
SHA1

048d9a82336d8aa0831220bdc30b88b729efd995
SHA256

406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70
SHA512

a1391fe9c5618898a13cea0be45f1d75584ae077a2f86002e1ce7a5eb69f9fdddae9586825bfaa138610501d2df9b6849d69ec5c5c1def2e8c56498f2cb74b5e
SSDEEP

768:phqd2hP4Wo783IC8A+XqqazcBRL5JTk1+T4KSBGHmDbD/ph0oXRdiMy9qSusdpqM:+i4WkRdSJYUbdh9f/yfusdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:1223

play-tapes.gl.at.ply.gg:1223

Attributes

delay
1
install
true
install_file
system32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\system32.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

system32.exe

pid process

2684 system32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2680 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2676 schtasks.exe

pid	process
2684	system32.exe

pid	process
2680	timeout.exe

pid	process
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe

pid	process
2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe
2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe
2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exesystem32.exe

description	pid	process
Token: SeDebugPrivilege	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe
Token: SeDebugPrivilege	2684	system32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.execmd.execmd.exe

description	pid	process	target process
PID 2500 wrote to memory of 1704	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 2500 wrote to memory of 1704	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 2500 wrote to memory of 1704	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 2500 wrote to memory of 2128	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 2500 wrote to memory of 2128	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 2500 wrote to memory of 2128	2500	406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe	cmd.exe
PID 1704 wrote to memory of 2676	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 2676	1704	cmd.exe	schtasks.exe
PID 1704 wrote to memory of 2676	1704	cmd.exe	schtasks.exe
PID 2128 wrote to memory of 2680	2128	cmd.exe	timeout.exe
PID 2128 wrote to memory of 2680	2128	cmd.exe	timeout.exe
PID 2128 wrote to memory of 2680	2128	cmd.exe	timeout.exe
PID 2128 wrote to memory of 2684	2128	cmd.exe	system32.exe
PID 2128 wrote to memory of 2684	2128	cmd.exe	system32.exe
PID 2128 wrote to memory of 2684	2128	cmd.exe	system32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe
"C:\Users\Admin\AppData\Local\Temp\406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DBE.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2680

C:\Users\Admin\AppData\Roaming\system32.exe
"C:\Users\Admin\AppData\Roaming\system32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1DBE.tmp.bat

Filesize
152B

MD5
25fad223963431dc6c21a542ac7e191e

SHA1
882b142a2ddf5e5f0ceef00b7f511771c39dfa60

SHA256
83341aa92d38fc3603f864b2ea6abbf056732afe6e3e28f2fb149792ffa4d323

SHA512
36ec049e02595d92916c6d13e2affc83017b4516db6bb130ff1d489d1a059bf8bfddf3b6a4b564084c11ed57c5a53023bf8bc7682c38b236e4121ed4053740d1

Download Submit
C:\Users\Admin\AppData\Roaming\system32.exe

Filesize
63KB

MD5
6de5e8e61de16af71ce14a2d3fa1f850

SHA1
048d9a82336d8aa0831220bdc30b88b729efd995

SHA256
406003369cdaa1265adbee0949af5c9159b63f2f3f109729074f34951e706f70

SHA512
a1391fe9c5618898a13cea0be45f1d75584ae077a2f86002e1ce7a5eb69f9fdddae9586825bfaa138610501d2df9b6849d69ec5c5c1def2e8c56498f2cb74b5e

Download Submit
memory/2500-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2500-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-3-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2500-13-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-17-0x0000000001290000-0x00000000012A6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads