asyncrat | 519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

General

Target

file.exe
Size

63KB
MD5

9eb074e0713a33f7a6e499b0fbf2484c
SHA1

132ca59a5fb654c3d0794f92f05eaf43e3a7af94
SHA256

519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1
SHA512

367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794
SSDEEP

1536:JKh54k58k/GWZOKuvUYFgF4yY5biArLdcKgtiCrITGFx:JK/4k58kAKuvUYFgF4yY5bikcltiCOGx

Score

10^/10

asyncrat solarafake discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation file.exe
Executes dropped EXE 1 IoCs

Processes:

Windows.exe

pid process

4724 Windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	file.exe

pid	process
4724	Windows.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file.execmd.execmd.exeschtasks.exetimeout.exeWindows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4220 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1012 schtasks.exe

pid	process
4220	timeout.exe

pid	process
1012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

file.exe

pid	process
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe
1692	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exeWindows.exe

description pid process

Token: SeDebugPrivilege 1692 file.exe
Token: SeDebugPrivilege 4724 Windows.exe

description	pid	process
Token: SeDebugPrivilege	1692	file.exe
Token: SeDebugPrivilege	4724	Windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

file.execmd.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 4196	1692	file.exe	cmd.exe
PID 1692 wrote to memory of 4196	1692	file.exe	cmd.exe
PID 1692 wrote to memory of 4196	1692	file.exe	cmd.exe
PID 1692 wrote to memory of 4292	1692	file.exe	cmd.exe
PID 1692 wrote to memory of 4292	1692	file.exe	cmd.exe
PID 1692 wrote to memory of 4292	1692	file.exe	cmd.exe
PID 4196 wrote to memory of 1012	4196	cmd.exe	schtasks.exe
PID 4196 wrote to memory of 1012	4196	cmd.exe	schtasks.exe
PID 4196 wrote to memory of 1012	4196	cmd.exe	schtasks.exe
PID 4292 wrote to memory of 4220	4292	cmd.exe	timeout.exe
PID 4292 wrote to memory of 4220	4292	cmd.exe	timeout.exe
PID 4292 wrote to memory of 4220	4292	cmd.exe	timeout.exe
PID 4292 wrote to memory of 4724	4292	cmd.exe	Windows.exe
PID 4292 wrote to memory of 4724	4292	cmd.exe	Windows.exe
PID 4292 wrote to memory of 4724	4292	cmd.exe	Windows.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9CBD.tmp.bat""
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4220

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
63KB

MD5
9eb074e0713a33f7a6e499b0fbf2484c

SHA1
132ca59a5fb654c3d0794f92f05eaf43e3a7af94

SHA256
519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

SHA512
367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CBD.tmp.bat

Filesize
154B

MD5
bff4e56bb3368c158fe1c3edc50481f7

SHA1
dd7edc29f3fb074e5e55a1eb1c0d05d478b8d961

SHA256
ed77bd6f174691cbdae899ba07454c7ce8d45c5d168a26b03fe57a5212bbdc6f

SHA512
35c94d4747e32d019a64f945d4fcb694913bb1b00a7594280d35b24ed29d5dd89d07c69afaddea999e058dd3cc39b9b542e16d220290200422ee81ce9133cbe1

Download Submit
memory/1692-0-0x000000007542E000-0x000000007542F000-memory.dmp

Filesize
4KB

Download
memory/1692-1-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1692-2-0x0000000075420000-0x0000000075BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-3-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/1692-8-0x0000000075420000-0x0000000075BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-13-0x0000000075420000-0x0000000075BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-14-0x0000000075420000-0x0000000075BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-15-0x0000000075420000-0x0000000075BD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads